backbone
Give your JS App some Backbone with Models, Views, Collections, and Events.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:test/vendor/underscore-1.3.1.js | AI (source-diff): This is Underscore.js 1.3.1 by the same author (Ashkenas/DocumentCloud), included as a test vendor dependency. Not malicious. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is explained by addition of test vendor files and design assets (PDFs, PSDs, PNGs). No injected payload. | ai | |
| source-diff | net-exec-file:test/vendor/jquery-1.7.1.js | AI (source-diff): This is the canonical jQuery 1.7.1 library included as a test vendor dependency. The net+exec pattern is inherent to jQuery's AJAX/eval internals and is not malicious. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): Underscore is Backbone's documented and expected runtime dependency. This finding is a stable false positive for this package. | ai | |
| source-diff | net-exec-file:test/vendor/underscore-1.1.6.js | AI (source-diff): Legitimate Underscore.js 1.1.6 vendored test fixture. Backbone's canonical dependency; net+exec pattern is a false positive on this well-known library. | ai | |
| source-diff | net-exec-file:test/vendor/jquery-1.5.js | AI (source-diff): Legitimate vendored jQuery 1.5 test fixture. The net+exec pattern is structural to jQuery's AJAX/eval design, not malware. Lives under test/vendor/ and is not a runtime file. | ai | |
| source-diff | net-exec-file:test/vendor/json2.js | AI (source-diff): Legitimate Crockford json2.js vendored test dependency. The net+exec pattern is a false positive on this well-known public domain library. | ai | |
| provenance | publisher-changed | AI (provenance): jridgewell is a well-established, trusted npm publisher who took over backbone maintenance from jashkenas in 2016. This is a long-standing legitimate transition, not a compromise. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): jridgewell was added as a legitimate maintainer for backbone in 2016. This is a stable, known transition for this canonical package. | ai |
Versions (showing 31 of 31)
| Version | Deps | Published |
|---|---|---|
| 1.6.1 | 1 / 11 | |
| 1.6.0 | 1 / 13 | |
| 1.5.0 | 1 / 10 | |
| 1.4.1 | 1 / 10 | |
| 1.4.0 | 1 / 9 | |
| 1.3.3 | 1 / 8 | |
| 1.3.2 | 1 / 8 | |
| 1.3.1 | 1 / 8 | |
| 1.2.3 | 1 / 7 | |
| 1.2.2 | 1 / 7 | |
| 1.2.1 | 1 / 6 | |
| 1.2.0 | 1 / 6 | |
| 1.1.2 | 1 / 3 | |
| 1.1.1 | 1 / 3 | |
| 1.1.0 | 1 / 3 | |
| 1.0.0 | 1 / 3 | |
| 0.9.10 | 1 / 1 | |
| 0.9.9 | 1 / 1 | |
| 0.9.2 | 1 / 0 | |
| 0.9.1 | 1 / 0 | |
| 0.9.0 | 1 / 0 | |
| 0.5.3 | 1 / 0 | |
| 0.5.2 | 1 / 0 | |
| 0.5.1 | 1 / 0 | |
| 0.5.0 | 1 / 0 | |
| 0.3.2 | 1 / 0 | |
| 0.3.1 | 1 / 0 | |
| 0.3.0 | 1 / 0 | |
| 0.2.0 | 1 / 0 | |
| 0.1.2 | 1 / 0 | |
| 0.1.1 | 0 / 0 |
v1.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-26. This could indicate a legitimate maintainer transition or an account compromise.
v1.4.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-02-19. This could indicate a legitimate maintainer transition or an account compromise.
v1.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.1
2 findingsThis version was published by a different npm account than previous versions on 2016-03-04. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.