busboy
A streaming parser for HTML form data for node.js
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:mscdex-busboy-5a1040d/deps/encoding/encoding-indexes.js | AI (source-diff): Vendored encoding-indexes.js contains character encoding lookup tables (large integer arrays) from the Encoding Standard polyfill — not obfuscated code. | ai | |
| source-diff | obfuscated-file:mscdex-busboy-f70e0dd/deps/encoding/encoding-indexes.js | AI (source-diff): WHATWG encoding index data file containing numeric code point arrays for character set mappings; long lines are data, not obfuscation. | ai | |
| source-diff | encoded-string-file:test/test-types-multipart.js | AI (source-diff): Test file contains repeated single-char strings (AAAA…, BBBB…) as mock multipart payloads — not obfuscated code. Stable false positive for busboy. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads modules from the package's own local ./types/ directory using __dirname — a standard plugin-loader pattern, not arbitrary code execution. | ai | |
| dependencies | unvetted-dep:dicer | AI (dependencies): dicer is mscdex's own companion package and the canonical multipart stream splitter dependency for busboy; this is expected and benign. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 1.6.0 | 1 / 2 | |
| 1.5.0 | 1 / 2 | |
| 1.4.0 | 1 / 2 | |
| 1.3.0 | 1 / 2 | |
| 1.2.0 | 1 / 2 | |
| 1.1.0 | 1 / 2 | |
| 1.0.0 | 1 / 2 | |
| 0.3.1 | 1 / 0 | |
| 0.2.14 | 2 / 0 | |
| 0.1.1 | 2 / 0 | |
| 0.1.0 | 2 / 0 |
v1.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.14
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.