electron-prebuilt — Greenflagged

Install prebuilt electron binaries for the command-line using npm

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

electron

Keywords

electron

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance on npm by years; absence of attestation is expected and not a risk signal for this well-established package.	ai	2026/04/24
install-scripts	install-script:install	AI (install-scripts): electron-prebuilt's install script downloads prebuilt Electron binaries — this is the package's core documented purpose and stable across all versions.	ai	2026/04/24
maintainer-change	maintainer-removed	AI (maintainer-change): Maintainer removals reflect a documented consolidation under the electron npm org; not a takeover. Publisher has 2528 approved packages and 0 rejected.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): kevinsawicki is a known Electron core contributor; this addition is a legitimate maintainer transition within the electron-userland org.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): Transition from maxogden to kevinsawicki is a known legitimate maintainer handoff within the electron-userland org; kevinsawicki is a well-established Electron core contributor.	ai	2026/04/24
install-scripts	install-script:postinstall	AI (install-scripts): electron-prebuilt's postinstall runs node install.js to download prebuilt Electron binaries — this is the package's core documented purpose and has been stable across 125 versions.	ai	2026/04/23
semgrep	semgrep:child-process-spawn	AI (semgrep): proc.spawn in cli.js launches the Electron binary; this is the intended CLI launcher behavior, not a security concern.	ai	2026/04/23
semgrep	semgrep:child-process-import	AI (semgrep): child_process is used in cli.js solely to spawn the Electron binary with user args — the expected behavior of a CLI launcher package.	ai	2026/04/23

Versions (showing 14 of 14)

Version	Deps	Published
1.4.11	2 / 4	2016-12-07
1.4.8	2 / 4	2016-11-22
1.1.3	2 / 4	2016-05-25
1.1.2	2 / 4	2016-05-24
1.1.1	2 / 4	2016-05-20
0.33.1	2 / 3	2015-09-22
0.30.2	2 / 3	2015-07-30
0.29.2	2 / 3	2015-07-07
0.28.2	2 / 3	2015-06-19
0.27.3	2 / 3	2015-06-09
0.27.1	2 / 3	2015-05-28
0.25.3	5 / 2	2015-05-08
0.25.2	2 / 1	2015-05-03
0.25.1	2 / 1	2015-04-25

v1.4.11

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.1

2 findings

HIGH Publisher changed: maxogden → kevinsawicki (on 2016-05-20) provenance

This version was published by a different npm account than previous versions on 2016-05-20. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.33.1

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: maxogden.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.30.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.29.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.28.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.27.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.27.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.25.3

2 findings

HIGH Package has 'install' script install-scripts

Script: node install.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.25.2

2 findings

HIGH Package has 'install' script install-scripts

Script: node install.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.25.1

2 findings

HIGH Package has 'install' script install-scripts

Script: node install.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.