bare-node-runtime
Compatibility layer for Node.js builtins and globals in Bare
7
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
mafintosh
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:bare-diagnostics-channel | AI (phantom-deps): Same config-file declaration pattern as other accepted bare-* phantom deps. | ai | |
| phantom-deps | phantom-dep:bare-punycode | AI (phantom-deps): Same config-file declaration pattern as other accepted bare-* phantom deps. | ai | |
| phantom-deps | phantom-dep:bare-sqlite | AI (phantom-deps): bare-node-runtime declares deps in config files (imports.json), not direct JS imports; consistent with all other bare-* phantom findings already accepted. | ai | |
| phantom-deps | phantom-dep:bare-async-hooks | AI (phantom-deps): Same re-export pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:bare-subprocess | AI (phantom-deps): Same re-export pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:bare-inspector | AI (phantom-deps): Same re-export pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:bare-querystring | AI (phantom-deps): Same re-export pattern; stable false positive. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): mafintosh is a core Holepunch contributor; addition is expected for this org's packages. | ai | |
| phantom-deps | phantom-dep:bare-string-decoder | AI (phantom-deps): Same re-export pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:bare-performance | AI (phantom-deps): Same re-export pattern; stable false positive. | ai | |
| dependencies | unvetted-dep:bare-buffer | AI (dependencies): First-party Holepunch bare-* ecosystem dep; consistent with package purpose. | ai | |
| dependencies | unvetted-dep:bare-performance | AI (dependencies): First-party Holepunch bare-* ecosystem dep; consistent with package purpose. | ai | |
| dependencies | unvetted-dep:bare-vm | AI (dependencies): First-party Holepunch bare-* ecosystem dep; consistent with package purpose. | ai | |
| dependencies | unvetted-dep:bare-dns | AI (dependencies): First-party Holepunch bare-* ecosystem dep; consistent with package purpose. | ai | |
| dependencies | unvetted-dep:bare-net | AI (dependencies): First-party Holepunch bare-* ecosystem dep; consistent with package purpose. | ai | |
| dependencies | unvetted-dep:bare-tls | AI (dependencies): First-party Holepunch bare-* ecosystem dep; consistent with package purpose. | ai | |
| dependencies | unvetted-dep:bare-repl | AI (dependencies): First-party Holepunch bare-* ecosystem dep; consistent with package purpose. | ai | |
| dependencies | unvetted-dep:bare-zlib | AI (dependencies): First-party Holepunch bare-* ecosystem dep; consistent with package purpose. | ai | |
| dependencies | unvetted-dep:bare-http1 | AI (dependencies): First-party Holepunch bare-* ecosystem dep; consistent with package purpose. | ai | |
| dependencies | unvetted-dep:bare-https | AI (dependencies): First-party Holepunch bare-* ecosystem dep; consistent with package purpose. | ai | |
| dependencies | unvetted-dep:bare-crypto | AI (dependencies): First-party Holepunch bare-* ecosystem dep; consistent with package purpose. | ai | |
| dependencies | unvetted-dep:bare-module | AI (dependencies): First-party Holepunch bare-* ecosystem dep; consistent with package purpose. | ai | |
| dependencies | unvetted-dep:bare-timers | AI (dependencies): First-party Holepunch bare-* ecosystem dep; consistent with package purpose. | ai | |
| dependencies | unvetted-dep:bare-worker | AI (dependencies): First-party Holepunch bare-* ecosystem dep; consistent with package purpose. | ai | |
| dependencies | unvetted-dep:bare-console | AI (dependencies): First-party Holepunch bare-* ecosystem dep; consistent with package purpose. | ai | |
| dependencies | unvetted-dep:bare-subprocess | AI (dependencies): First-party Holepunch bare-* ecosystem dep; consistent with package purpose. | ai | |
| dependencies | unvetted-dep:bare-async-hooks | AI (dependencies): First-party Holepunch bare-* ecosystem dep; consistent with package purpose. | ai | |
| dependencies | unvetted-dep:bare-string-decoder | AI (dependencies): First-party Holepunch bare-* ecosystem dep; consistent with package purpose. | ai | |
| phantom-deps | phantom-dep:bare-console | AI (phantom-deps): Runtime shim; deps referenced via imports map, not direct require — phantom-dep is a stable FP for this package. | ai | |
| phantom-deps | phantom-dep:bare-readline | AI (phantom-deps): Runtime shim; deps referenced via imports map, not direct require — phantom-dep is a stable FP for this package. | ai | |
| phantom-deps | phantom-dep:bare-worker | AI (phantom-deps): Same pattern — exports via imports.json, not direct import. | ai | |
| phantom-deps | phantom-dep:bare-events | AI (phantom-deps): Same pattern: re-exported via imports.json, not directly imported. | ai | |
| phantom-deps | phantom-dep:bare-fs | AI (phantom-deps): bare-* deps are declared as peer/runtime deps for the Bare runtime compatibility layer; phantom-dep heuristic doesn't apply. | ai | |
| phantom-deps | phantom-dep:bare-zlib | AI (phantom-deps): Runtime compatibility layer pattern. | ai | |
| phantom-deps | phantom-dep:bare-dgram | AI (phantom-deps): Runtime compatibility layer pattern. | ai | |
| phantom-deps | phantom-dep:bare-http1 | AI (phantom-deps): Runtime compatibility layer pattern. | ai | |
| phantom-deps | phantom-dep:bare-https | AI (phantom-deps): Runtime compatibility layer pattern. | ai | |
| phantom-deps | phantom-dep:bare-utils | AI (phantom-deps): Runtime compatibility layer pattern. | ai | |
| phantom-deps | phantom-dep:bare-assert | AI (phantom-deps): Runtime compatibility layer pattern. | ai | |
| phantom-deps | phantom-dep:bare-buffer | AI (phantom-deps): Runtime compatibility layer pattern. | ai | |
| phantom-deps | phantom-dep:bare-module | AI (phantom-deps): Runtime compatibility layer pattern. | ai | |
| phantom-deps | phantom-dep:bare-timers | AI (phantom-deps): Runtime compatibility layer pattern. | ai | |
| phantom-deps | phantom-dep:bare-os | AI (phantom-deps): Same as bare-fs — runtime compatibility layer pattern. | ai | |
| phantom-deps | phantom-dep:bare-repl | AI (phantom-deps): Runtime compatibility layer pattern. | ai | |
| phantom-deps | phantom-dep:bare-path | AI (phantom-deps): Runtime compatibility layer pattern. | ai | |
| phantom-deps | phantom-dep:bare-url | AI (phantom-deps): Runtime compatibility layer pattern. | ai | |
| phantom-deps | phantom-dep:bare-tty | AI (phantom-deps): Runtime compatibility layer pattern. | ai | |
| phantom-deps | phantom-dep:bare-tls | AI (phantom-deps): Runtime compatibility layer pattern. | ai | |
| phantom-deps | phantom-dep:bare-net | AI (phantom-deps): Runtime compatibility layer pattern. | ai | |
| phantom-deps | phantom-dep:bare-vm | AI (phantom-deps): Runtime compatibility layer pattern. | ai | |
| phantom-deps | phantom-dep:bare-dns | AI (phantom-deps): Runtime compatibility layer pattern. | ai | |
| phantom-deps | phantom-dep:bare-v8 | AI (phantom-deps): Runtime compatibility layer; deps referenced via config/imports.json, not direct imports. | ai |
Versions (showing 7 of 7)
| Version | Deps | Published |
|---|---|---|
| 1.4.0 | 39 / 3 | |
| 1.3.1 | 38 / 3 | |
| 1.0.4 | 34 / 2 | |
| 1.0.3 | 34 / 0 | |
| 1.0.2 | 34 / 0 | |
| 1.0.1 | 33 / 0 | |
| 1.0.0 | 33 / 0 |
v1.4.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.1
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.4
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.3
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.