deasync
Turns async function into sync via JavaScript wrapper of Node event loop
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| typosquat | typosquat.levenshtein:async | AI (typosquat): deasync is a distinct, well-established package (4400+ days, 497k downloads) unrelated to 'async'; the name similarity is coincidental and not impersonation. | ai | |
| phantom-deps | phantom-dep:nan | AI (phantom-deps): nan is a build-time C++ dependency referenced in binding.gyp, not a JS import; phantom-dep detection is a false positive for native addon build deps. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): node-addon-api replaces nan as the official N-API C++ wrapper for native addons; this is a standard, well-known migration path with no supply-chain risk for this package. | ai | |
| phantom-deps | phantom-dep:node-addon-api | AI (phantom-deps): node-addon-api is a native build dependency used by node-gyp/binding.gyp; it is not imported via require() but is legitimately needed. False positive for native addons. | ai | |
| install-scripts | install-script:install | AI (install-scripts): deasync is a native addon; install script runs node-gyp to compile C++ bindings. This is the documented, expected build flow for this package across all versions. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process import in build.js is solely for invoking node-gyp during install compilation. Expected for native addon build scripts. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): deasync ships prebuilt .node binaries for many platforms/Node versions as its core distribution mechanism. This is expected and stable for this package. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): child_process.spawn in build.js invokes node-gyp rebuild — standard native addon compilation. Not a runtime risk. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads the platform-specific prebuilt .node binary — standard bindings pattern for native addons, not arbitrary code loading. | ai |
Versions (showing 7 of 7)
| Version | Deps | Published |
|---|---|---|
| 0.1.29 | 2 / 1 | |
| 0.1.27 | 2 / 1 | |
| 0.1.26 | 2 / 1 | |
| 0.1.25 | 2 / 1 | |
| 0.1.14 | 2 / 0 | |
| 0.0.4 | 1 / 0 | |
| 0.0.3 | 1 / 0 |
v0.1.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.