assert
The assert module from Node.js, for the browser.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:es6-object-assign | AI (dependencies): es6-object-assign is a well-known, straightforward polyfill appropriate for a browser-targeting assert module. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Large maintainer list is consistent with browserify org's known practice of adding community maintainers. Legitimate org transfer. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): shtylman removal is part of the documented transfer to the browserify organization; not indicative of a hostile takeover. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase explained by addition of Babel build pipeline producing transpiled output in build/ directory. No obfuscation or injected payloads. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate transfer to browserify org; lukechilds is a trusted publisher with strong track record. Repository matches browserify/commonjs-assert. | ai | |
| dependencies | unvetted-dep:object-is | AI (dependencies): object-is is a well-known ljharb-maintained polyfill; appropriate dependency for a browser assert module. No malicious history. | ai | |
| provenance | no-provenance | AI (provenance): Lack of provenance is common for this package's age and ecosystem; publisher is highly trusted with long track record. | ai | |
| dependencies | unvetted-dep:is-nan | AI (dependencies): is-nan is a well-known ljharb-maintained polyfill; appropriate dependency for a browser assert module. No malicious history. | ai |
Versions (showing 15 of 15)
| Version | Deps | Published |
|---|---|---|
| 2.0.0 | 4 / 10 | |
| 1.5.1 | 2 / 3 | |
| 1.5.0 | 2 / 3 | |
| 1.4.1 | 1 / 3 | |
| 1.4.0 | 2 / 2 | |
| 1.3.0 | 1 / 2 | |
| 1.2.0 | 1 / 2 | |
| 1.1.2 | 1 / 2 | |
| 1.1.1 | 1 / 2 | |
| 1.1.0 | 1 / 2 | |
| 1.0.3 | 1 / 2 | |
| 1.0.2 | 1 / 2 | |
| 1.0.1 | 1 / 2 | |
| 1.0.0 | 1 / 1 | |
| 0.4.9 | 1 / 0 |
v2.0.0
2 findingsThis version was published by a different npm account than previous versions on 2019-05-12. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
2 findingsThis version was published by a different npm account than previous versions on 2019-05-08. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.1
2 findingsThis version was published by a different npm account than previous versions on 2016-05-31. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
2 findingsThis version was published by a different npm account than previous versions on 2016-05-18. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.