buster-core
Buster core utilities
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:vendor/sinon/test/rhino/env.rhino.1.2.js | AI (source-diff): This is the well-known Envjs browser environment library (MIT), vendored as a Sinon.js test dependency. Long lines are from minification, not obfuscation. Stable false positive for this package. | ai | |
| source-diff | net-exec-file:vendor/sinon/test/rhino/env.rhino.1.2.js | AI (source-diff): Envjs simulates browser networking and eval as its core purpose. Network+exec pattern is expected behavior for a browser environment emulator used in test infrastructure only. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are vendored Sinon.js test suite files, a legitimate test dependency addition by a well-established publisher. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is entirely attributable to vendoring the Sinon.js test suite including Envjs. No runtime payload concern. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): The dynamic require is a documented buster.js helper that only loads 'buster-*' sub-modules by design. It is not arbitrary module loading and poses no real risk. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Package is ~14 years old and part of the legitimate buster.js testing framework. Sparse metadata is consistent with its age, not spam indicators. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 0.6.4 | 0 / 2 | |
| 0.6.3 | 0 / 2 | |
| 0.6.2 | 0 / 2 | |
| 0.6.1 | 0 / 2 | |
| 0.6.0 | 0 / 2 | |
| 0.5.1 | 0 / 2 | |
| 0.5.0 | 0 / 2 | |
| 0.4.0 | 0 / 2 | |
| 0.3.1 | 0 / 2 | |
| 0.3.0 | 0 / 2 |
v0.6.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.