buffertools
Working with node.js buffers made easy.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:preinstall | AI (install-scripts): preinstall runs 'node-waf configure', the standard native addon build configuration step for this era of Node.js. Stable and benign for this package. | ai | |
| provenance | no-provenance | AI (provenance): Package is 5579 days old; provenance attestation did not exist when it was first published. No expectation of provenance for packages of this age. | ai | |
| source-diff | encoded-string-file:test.js | AI (source-diff): The long hex string in test.js is a legitimate test vector for buffer indexOf functionality (GH-10 regression test), not a malicious payload. Stable false positive for this package. | ai | |
| install-scripts | install-script:install | AI (install-scripts): buffertools is a native C++ addon; `node-gyp rebuild` is its standard and expected build step, stable across all versions of this package. | ai |
v2.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
2 findingsScript: node-waf configure
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.