← Home

bcrypt

npm Repository Homepage
5
Versions
License
Yes
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jfirebaughtootallnatencb000gtdefunctzombieamitosh

Keywords

bcryptpasswordauthauthenticationencryptioncryptcrypto

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
npm-metadata bundled-binaries AI (npm-metadata): Prebuilt .node binaries for multiple platforms are the expected output of prebuildify; this is bcrypt's native addon distribution method. ai
phantom-deps phantom-dep:node-addon-api AI (phantom-deps): node-addon-api is a build-time dependency for native addons, referenced in binding.gyp not imported in JS. Expected pattern for this package. ai
source-diff encoded-string-file:test/implementation.js AI (source-diff): Long strings in test/implementation.js are bcrypt test vectors (known password/hash pairs). This is expected for a cryptographic library's test suite and not a malicious payload. ai
publish-pattern new-deps-added AI (publish-pattern): Switch from node-pre-gyp to @mapbox/node-pre-gyp is the documented, official migration path for this dependency. Benign and expected for native addon packages. ai
install-scripts install-script:install AI (install-scripts): node-pre-gyp install --fallback-to-build is the standard native addon install pattern for bcrypt; stable and expected for this package. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require of binding_path is the standard node-pre-gyp pattern for loading native .node binaries; not a security risk for this package. ai

Versions (showing 5 of 5)

Version Deps Published
6.0.0 2 / 2
5.1.1 2 / 1
5.1.0 2 / 1
5.0.1 2 / 1
5.0.0 2 / 1

v6.0.0

4 findings
HIGH Package has 'install' script install-scripts

Script: node-gyp-build

HIGH Bundled binary files (10) npm-metadata

Package contains compiled binaries that could be backdoors: • prebuilds/linux-arm/bcrypt.glibc.node • prebuilds/linux-arm64/bcrypt.glibc.node • prebuilds/linux-x64/bcrypt.glibc.node • prebuilds/linux-arm/bcrypt.musl.node • prebuilds/linux-arm64/bcrypt.musl.node • prebuilds/linux-x64/bcrypt.musl.node • prebuilds/darwin-arm64/bcrypt.node • prebuilds/darwin-x64/bcrypt.node • prebuilds/win32-arm64/bcrypt.node • prebuilds/win32-x64/bcrypt.node

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: amitosh.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.1.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.1.0

2 findings
HIGH Package has 'install' script install-scripts

Script: node-pre-gyp install --fallback-to-build

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.1

2 findings
HIGH Long encoded string in modified file: test/implementation.js source-diff

Modified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.0

2 findings
HIGH Package has 'install' script install-scripts

Script: node-pre-gyp install --fallback-to-build

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.