← Home

browser-builtins

npm Repository Homepage

Builtins that were extracted from node-browser-resolve on which browserify depends

18
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

alexgorbatchevandreasmadsen

Keywords

resolvebrowser

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff net-exec-file:test/browser/querystring-simple.js AI (source-diff): File is a standard Node.js querystring test fixture (Joyent copyright) using tape. The 'network+exec' detection is a false positive on test infrastructure for this browser-polyfill package. ai
provenance no-provenance AI (provenance): Package predates Sigstore provenance; established publisher with strong track record. No provenance is expected for this package's age. ai
provenance publisher-changed AI (provenance): Publisher change from alexgorbatchev to andreasmadsen occurred in 2015; andreasmadsen is listed as a contributor in package.json. Legitimate historical handoff, not a recent compromise signal. ai
phantom-deps phantom-dep:punycode AI (phantom-deps): browser-builtins uses the 'browser' field in package.json to map Node builtins to polyfills; these deps are referenced via browser field config, not direct require(). Stable false positive for this package type. ai
phantom-deps phantom-dep:tty-browserify AI (phantom-deps): Referenced via browser field mapping for tty builtin, not direct require(). Expected pattern for browser polyfill packages. ai
phantom-deps phantom-dep:https-browserify AI (phantom-deps): Referenced via browser field mapping for https builtin, not direct require(). Expected pattern for browser polyfill packages. ai

Versions (showing 18 of 18)

Version Deps Published
3.3.1 17 / 2
3.3.0 17 / 2
3.2.0 17 / 2
3.1.0 9 / 2
3.0.0 9 / 3
2.0.5 9 / 3
2.0.4 9 / 1
2.0.3 9 / 1
2.0.2 9 / 1
2.0.1 9 / 1
2.0.0 9 / 1
1.0.7 9 / 0
1.0.6 9 / 0
1.0.5 9 / 0
1.0.4 9 / 0
1.0.3 8 / 0
1.0.2 8 / 0
1.0.1 7 / 0

v3.3.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.0

2 findings
HIGH Publisher changed: alexgorbatchev → andreasmadsen (on 2015-03-07) provenance

This version was published by a different npm account than previous versions on 2015-03-07. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.0

2 findings
HIGH Publisher changed: alexgorbatchev → andreasmadsen (on 2014-07-21) provenance

This version was published by a different npm account than previous versions on 2014-07-21. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.1

2 findings
HIGH New file with network + code execution: test/browser/querystring-simple.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.0

2 findings
HIGH New file with network + code execution: test/browser/querystring-simple.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.