crc
Module for calculating Cyclic Redundancy Check (CRC) for Node.js and the browser.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-dropped | AI (source-diff): Size drop reflects legitimate refactoring to CoffeeScript-compiled sources, not a stub replacement. Consistent with package history. | ai | |
| source-diff | obfuscated-file:lib/crc32.js | AI (source-diff): File is CoffeeScript-compiled output (header confirms this); long line is a standard CRC32 lookup table, not obfuscation. Pattern is stable for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): The 'buffer' dep is the standard feross/buffer browser polyfill, appropriate for a CRC library targeting both Node.js and browsers. | ai | |
| source-diff | obfuscated-file:lib/es6/crcjam.js | AI (source-diff): Long lines are pre-computed CRC lookup tables generated by pycrc.py, not obfuscation. This is standard CRC implementation practice and stable for this package. | ai | |
| source-diff | obfuscated-file:lib/es6/crc32.js | AI (source-diff): Long lines are pre-computed CRC lookup tables generated by pycrc.py, not obfuscation. This is standard CRC implementation practice and stable for this package. | ai | |
| source-diff | obfuscated-file:lib/crcjam.js | AI (source-diff): Long line is a precomputed CRC-JAM polynomial lookup table generated by pycrc.py — standard pattern for CRC implementations, not obfuscation. | ai | |
| provenance | no-provenance | AI (provenance): Established package from trusted publisher; lack of Sigstore attestation is a best-practice gap, not a security risk for this package. | ai | |
| provenance | missing-githead | AI (provenance): Package restructured to ship dual ESM/CJS builds; publish environment change explains missing gitHead. Trusted publisher with strong track record. | ai | |
| source-diff | obfuscated-file:lib/es6/calculators/crcjam.js | AI (source-diff): Long lines are pre-computed CRC lookup tables (hex arrays), not obfuscated code. Standard table-driven CRC implementation pattern for this package. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase explained by addition of 87 new source files covering multiple CRC algorithm variants — legitimate package expansion, not injected payloads. | ai | |
| source-diff | obfuscated-file:lib/es6/calculators/crc8.js | AI (source-diff): Long lines are pre-computed CRC lookup tables (hex arrays), not obfuscated code. Standard table-driven CRC implementation pattern for this package. | ai | |
| source-diff | obfuscated-file:lib/es6/calculators/crc16.js | AI (source-diff): Long lines are pre-computed CRC lookup tables (hex arrays), not obfuscated code. Standard table-driven CRC implementation pattern for this package. | ai | |
| source-diff | obfuscated-file:lib/es6/calculators/crc16ccitt.js | AI (source-diff): Long lines are pre-computed CRC lookup tables (hex arrays), not obfuscated code. Standard table-driven CRC implementation pattern for this package. | ai | |
| source-diff | obfuscated-file:lib/es6/calculators/crc16kermit.js | AI (source-diff): Long lines are pre-computed CRC lookup tables (hex arrays), not obfuscated code. Standard table-driven CRC implementation pattern for this package. | ai | |
| source-diff | obfuscated-file:lib/es6/calculators/crc16modbus.js | AI (source-diff): Long lines are pre-computed CRC lookup tables (hex arrays), not obfuscated code. Standard table-driven CRC implementation pattern for this package. | ai | |
| source-diff | obfuscated-file:lib/es6/calculators/crc24.js | AI (source-diff): Long lines are pre-computed CRC lookup tables (hex arrays), not obfuscated code. Standard table-driven CRC implementation pattern for this package. | ai | |
| source-diff | obfuscated-file:lib/es6/calculators/crc32.js | AI (source-diff): Long lines are pre-computed CRC lookup tables (hex arrays), not obfuscated code. Standard table-driven CRC implementation pattern for this package. | ai | |
| source-diff | obfuscated-file:lib/es6/calculators/crc81wire.js | AI (source-diff): Long lines are pre-computed CRC lookup tables (hex arrays), not obfuscated code. Standard table-driven CRC implementation pattern for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 128 new files explained by dual ESM/CJS build output with per-calculator exports, as confirmed by the exports map in package.json. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): crc is a legitimate, established CRC calculation library; it is not a typosquat of cors — they are entirely different packages with different purposes. | ai |
Versions (showing 30 of 30)
| Version | Deps | Published |
|---|---|---|
| 4.3.2 | 0 / 0 | |
| 4.3.1 | 0 / 0 | |
| 4.3.0 | 0 / 0 | |
| 4.2.0 | 0 / 0 | |
| 4.1.1 | 0 / 0 | |
| 4.1.0 | 0 / 0 | |
| 4.0.0 | 0 / 22 | |
| 3.8.0 | 1 / 17 | |
| 3.7.0 | 1 / 17 | |
| 3.6.0 | 1 / 17 | |
| 3.5.0 | 0 / 9 | |
| 3.4.4 | 0 / 9 | |
| 3.4.3 | 0 / 9 | |
| 3.4.2 | 0 / 9 | |
| 3.4.1 | 0 / 9 | |
| 3.4.0 | 0 / 8 | |
| 3.3.0 | 0 / 8 | |
| 3.2.1 | 0 / 8 | |
| 3.2.0 | 0 / 8 | |
| 3.1.0 | 0 / 8 | |
| 3.0.0 | 0 / 8 | |
| 2.1.1 | 0 / 5 | |
| 2.1.0 | 0 / 5 | |
| 2.0.0 | 0 / 5 | |
| 1.1.0 | 0 / 5 | |
| 1.0.0 | 0 / 5 | |
| 0.3.0 | 0 / 2 | |
| 0.2.1 | 0 / 2 | |
| 0.2.0 | 0 / 2 | |
| 0.1.0 | 0 / 0 |
v4.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: alexgorbatchev.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
10 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.