bufferstream
painless stream buffering and cutting
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Package is a native addon (node-waf build); size increase from 362B to 6KB is consistent with compiled output or legitimate source expansion, not injected payload. | ai | |
| install-scripts | install-script:preinstall | AI (install-scripts): Preinstall script is a literal no-op comment (#preinstall DO NOTHING). No code execution risk. Stable across all versions of this package. | ai | |
| install-scripts | install-script:install | AI (install-scripts): Install script runs node-waf configure build — the standard Node.js 0.4.x era native addon build tool. Legitimate native C++ binding build step, consistent across all versions. | ai | |
| phantom-deps | phantom-dep:buffertools | AI (phantom-deps): buffertools is a native addon dependency used at build/link time; not directly imported in JS but legitimately declared. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:coffee-script | AI (phantom-deps): coffee-script is a build-time toolchain dependency for this legacy package. Not directly imported in JS but legitimately declared. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): The child_process spawn import appears in a test/example file with a hardcoded local path. Not a malicious use; stable false positive for this package. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 0.6.1 | 2 / 5 | |
| 0.4.3 | 2 / 2 | |
| 0.4.1 | 2 / 2 | |
| 0.1.6 | 2 / 0 | |
| 0.1.4 | 2 / 0 |
v0.6.1
2 findingsMaintainer email '[email protected]' uses domain 'blacksec.org' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.3
4 findingsScript: #preinstall DO NOTHING
Script: node-waf configure build
Maintainer email '[email protected]' uses domain 'blacksec.org' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
4 findingsScript: #preinstall DO NOTHING
Script: node-waf configure build
Maintainer email '[email protected]' uses domain 'blacksec.org' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.6
3 findingsScript: #preinstall DO NOTHING
Script: node-waf configure build
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.