crypto-browserify
implementation of crypto for the browser
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): Low-value signals reflect early npm era conventions (circa 2012), not spam or malice. Package is real, established, and from a trusted publisher. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): Version 0.0.0 is the legitimate first release of a well-established package by a trusted author (dominictarr), published over 5000 days ago. Not a throwaway. | ai | |
| source-diff | obfuscated-file:c.js | AI (source-diff): c.js is a standard browserify bundle (recognizable wrapper pattern); long lines are from bundled deps, not malicious obfuscation. Expected artifact for a browser crypto polyfill. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is entirely explained by the addition of a pre-built browserify bundle (c.js) packaging all crypto dependencies for browser use — a normal pattern for this package. | ai | |
| source-diff | encoded-string-file:test/sign.js | AI (source-diff): Long hex strings in test/sign.js are RSA key material used as test fixtures — standard practice for a crypto library. Not a malicious payload. | ai | |
| source-diff | encoded-string-file:test/public-encrypt.js | AI (source-diff): Long hex strings in test/public-encrypt.js are RSA key material used as test fixtures — standard practice for a crypto library. Not a malicious payload. | ai | |
| dependencies | unvetted-dep:create-ecdh | AI (dependencies): Established crypto dependency; fits package purpose and version constraint is pinned. | ai | |
| dependencies | unvetted-dep:diffie-hellman | AI (dependencies): Legitimate crypto utility for Diffie-Hellman key exchange; appropriate for this package's scope. | ai | |
| dependencies | unvetted-dep:browserify-cipher | AI (dependencies): browserify-cipher is a standard browserify ecosystem crypto primitive; expected dependency for this package. | ai | |
| dependencies | unvetted-dep:create-hash | AI (dependencies): create-hash is a standard browserify ecosystem crypto primitive; expected dependency for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in rng.js is a documented fallback pattern for loading Node.js crypto in non-browser environments; legitimate for browserify shims. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher transition occurred in 2015; well-established and legitimate for this mature package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer additions reflect legitimate ecosystem contributors; transition occurred years ago and is stable. | ai | |
| source-diff | obfuscated-file:test/public-encrypt.js | AI (source-diff): Test file contains hex-encoded RSA test vectors for cryptographic testing, not malicious obfuscation. Legitimate pattern in crypto test suites. | ai | |
| source-diff | obfuscated-file:test/sign.js | AI (source-diff): Test file contains hex-encoded RSA test vectors for cryptographic testing, not malicious obfuscation. Legitimate pattern in crypto test suites. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependencies are established browserify crypto components (create-hash, create-hmac, pbkdf2, etc.), representing legitimate modularization of crypto functionality, not suspicious injection. | ai | |
| dependencies | unvetted-dep:pbkdf2-compat | AI (dependencies): pbkdf2-compat is a narrow-purpose PBKDF2 implementation appropriate for crypto-browserify; pinned to 2.0.1. | ai | |
| phantom-deps | phantom-dep:inherits | AI (phantom-deps): inherits is a declared runtime dep for browser bundler compatibility; not directly imported in source but legitimately listed. Stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Trusted publisher (ljharb) with long track record; lack of provenance attestation is not a meaningful risk signal here. | ai | |
| phantom-deps | phantom-dep:hash-base | AI (phantom-deps): hash-base is a declared runtime dep for browser bundler compatibility; not directly imported in source but legitimately listed. Stable false positive for this package. | ai |
Versions (showing 76 of 76)
| Version | Deps | Published |
|---|---|---|
| 3.12.1 | 12 / 9 | |
| 3.12.0 | 11 / 6 | |
| 3.11.1 | 10 / 5 | |
| 3.11.0 | 10 / 5 | |
| 3.10.0 | 10 / 3 | |
| 3.9.14 | 10 / 2 | |
| 3.9.13 | 10 / 2 | |
| 3.9.12 | 10 / 2 | |
| 3.9.11 | 10 / 2 | |
| 3.9.10 | 10 / 2 | |
| 3.9.9 | 10 / 2 | |
| 3.9.8 | 10 / 2 | |
| 3.9.7 | 9 / 2 | |
| 3.9.6 | 9 / 2 | |
| 3.9.4 | 8 / 2 | |
| 3.9.3 | 8 / 2 | |
| 3.9.2 | 8 / 2 | |
| 3.9.1 | 8 / 2 | |
| 3.9.0 | 8 / 2 | |
| 3.8.3 | 8 / 2 | |
| 3.8.1 | 8 / 2 | |
| 3.8.0 | 8 / 2 | |
| 3.7.2 | 8 / 2 | |
| 3.7.1 | 8 / 2 | |
| 3.7.0 | 8 / 2 | |
| 3.6.0 | 7 / 2 | |
| 3.5.1 | 6 / 2 | |
| 3.5.0 | 6 / 2 | |
| 3.4.3 | 6 / 2 | |
| 3.4.1 | 6 / 2 | |
| 3.4.0 | 5 / 2 | |
| 3.3.0 | 4 / 2 | |
| 3.2.8 | 3 / 2 | |
| 3.2.7 | 3 / 2 | |
| 3.2.6 | 3 / 2 | |
| 3.2.5 | 3 / 2 | |
| 3.2.4 | 3 / 2 | |
| 3.2.2 | 3 / 2 | |
| 3.2.1 | 3 / 2 | |
| 3.2.0 | 2 / 2 | |
| 3.1.0 | 2 / 2 | |
| 3.0.2 | 2 / 2 | |
| 3.0.1 | 2 / 2 | |
| 3.0.0 | 2 / 2 | |
| 2.1.10 | 2 / 2 | |
| 2.1.8 | 2 / 2 | |
| 2.1.7 | 2 / 2 | |
| 2.1.6 | 1 / 1 | |
| 2.1.5 | 1 / 1 | |
| 2.1.4 | 1 / 1 | |
| 2.1.3 | 1 / 1 | |
| 2.1.2 | 1 / 1 | |
| 2.1.1 | 1 / 1 | |
| 2.1.0 | 1 / 1 | |
| 2.0.0 | 1 / 1 | |
| 1.0.9 | 0 / 2 | |
| 1.0.8 | 0 / 2 | |
| 1.0.7 | 0 / 1 | |
| 1.0.6 | 0 / 1 | |
| 1.0.5 | 0 / 1 | |
| 1.0.4 | 0 / 1 | |
| 1.0.3 | 0 / 1 | |
| 1.0.2 | 0 / 1 | |
| 1.0.1 | 0 / 1 | |
| 1.0.0 | 0 / 1 | |
| 0.4.0 | 0 / 1 | |
| 0.3.0 | 0 / 1 | |
| 0.2.3 | 0 / 1 | |
| 0.2.2 | 0 / 1 | |
| 0.2.1 | 0 / 1 | |
| 0.2.0 | 0 / 1 | |
| 0.1.2 | 0 / 0 | |
| 0.1.1 | 0 / 0 | |
| 0.1.0 | 0 / 0 | |
| 0.0.1 | 0 / 0 | |
| 0.0.0 | 0 / 0 |
v3.2.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.