browserify-sign
adds node crypto signing for browsers
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:hash-base | AI (phantom-deps): hash-base is properly declared as a dependency and used transitively; common pattern in browserify packages. | ai | |
| dependencies | unvetted-dep:parse-asn1 | AI (dependencies): parse-asn1 is a core crypto-browserify ecosystem dependency; its use here is expected and legitimate for ASN.1 parsing in cryptographic operations. | ai | |
| dependencies | unvetted-dep:create-hmac | AI (dependencies): create-hmac is a standard crypto-browserify ecosystem package for HMAC; its use here is expected and legitimate. | ai | |
| dependencies | unvetted-dep:create-hash | AI (dependencies): create-hash is a standard crypto-browserify ecosystem package for hashing; its use here is expected and legitimate. | ai | |
| dependencies | unvetted-dep:elliptic | AI (dependencies): elliptic is the canonical ECC library for the Node.js/browser crypto ecosystem; its use in a signing library is expected and appropriate. | ai | |
| provenance | no-provenance | AI (provenance): Package is over 11 years old; provenance attestation was not available at publish time. Not a meaningful risk signal for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Legitimate older crypto utility package; sparse README and near-empty index.js are consistent with the package's age and style, not spam indicators. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding of static algorithm IDs from config file is standard cryptographic practice, not a payload vector. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 4.2.4 | 9 / 10 | |
| 4.2.3 | 10 / 10 | |
| 4.2.2 | 9 / 10 | |
| 2.5.2 | 5 / 2 | |
| 2.4.0 | 7 / 2 | |
| 2.3.0 | 6 / 2 | |
| 2.2.0 | 6 / 2 | |
| 2.1.0 | 6 / 2 | |
| 2.0.0 | 6 / 2 |
v2.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.