bower
The browser package manager
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Bower is a legacy package manager predating Sigstore provenance; absence is expected and not a risk signal here. | ai | |
| source-diff | net-exec-file:lib/node_modules/bower-registry-client/node_modules/ajv/dist/ajv.bundle.js | AI (source-diff): Standard UMD/browserify bundle of ajv JSON Schema validator. The 'network' and 'exec' patterns are UMD boilerplate and new Function() for async transpilation, not malware. | ai | |
| source-diff | net-exec-file:lib/node_modules/bower-registry-client/node_modules/ajv/dist/ajv.min.js | AI (source-diff): Minified UMD bundle of ajv 4.11.8. Same false-positive pattern as the bundle file — UMD wrapper and new Function() for generator support, not dropper/loader malware. | ai | |
| source-diff | obfuscated-file:lib/node_modules/redeyed/node_modules/esprima/esprima.js | AI (source-diff): This is the legitimate esprima JavaScript parser, a well-known open-source library. The 'obfuscation' is standard minification; copyright headers confirm authenticity. Stable false positive for bower. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): bower is a package manager that legitimately uses dynamic require() to load package metadata and plugins; this pattern is expected across all versions. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): bower legitimately spawns child processes to run git and other VCS commands; child_process usage is expected and stable across all versions. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): bower legitimately uses child_process.spawn() to invoke git and other tools; this is core functionality stable across all versions. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 1.8.13 | 0 / 0 | |
| 1.8.12 | 0 / 0 | |
| 1.8.11 | 0 / 0 | |
| 1.8.10 | 49 / 0 | |
| 1.8.9 | 0 / 0 | |
| 1.8.8 | 0 / 0 |
v1.8.13
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.12
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.11
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.