← Home

bare-os

npm Repository Homepage

Operating system utilities for Javascript

48
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

mafintosh

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
install-scripts install-script:install AI (install-scripts): Native binding package; install script runs bare-dev rebuild to compile/fetch prebuilt binaries—standard and documented pattern. ai
provenance no-provenance AI (provenance): Lack of provenance is common across npm ecosystem; not a disqualifier for established packages with strong track records. ai
npm-metadata bundled-binaries AI (npm-metadata): bare-os is a native addon for the Bare runtime; prebuilt platform binaries are its documented distribution mechanism. Source code (binding.c, CMakeLists.txt) is included and SLSA provenance confirms CI/CD build integrity. ai

Versions (showing 48 of 48)

Version Deps Published
3.9.1 0 / 5
3.9.0 0 / 5
3.8.7 0 / 5
3.8.6 0 / 5
3.8.4 0 / 5
3.8.2 0 / 4
3.8.1 0 / 4
3.8.0 0 / 4
3.7.1 0 / 4
3.7.0 0 / 4
3.6.2 0 / 4
3.6.1 0 / 4
3.6.0 0 / 4
3.5.1 0 / 4
3.5.0 0 / 4
3.4.0 0 / 4
3.3.1 0 / 4
3.3.0 0 / 3
3.2.1 0 / 3
3.2.0 0 / 2
3.1.0 0 / 2
3.0.2 0 / 2
3.0.1 0 / 2
3.0.0 0 / 2
2.4.4 0 / 2
2.4.3 0 / 2
2.4.2 0 / 2
2.4.1 0 / 2
2.4.0 0 / 2
2.3.0 0 / 2
2.2.1 0 / 2
2.2.0 0 / 2
2.1.3 0 / 2
2.1.2 0 / 2
2.1.1 0 / 2
2.1.0 0 / 2
2.0.0 0 / 2
1.7.1 0 / 2
1.7.0 0 / 2
1.6.1 0 / 2
1.6.0 0 / 2
1.5.0 0 / 2
1.4.0 0 / 2
1.3.0 0 / 2
1.2.0 0 / 2
1.1.4 0 / 2
1.1.3 0 / 2
1.1.1 0 / 2

v3.9.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.