engine.io-client
Client for the realtime Engine
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): darrachequesne is a long-standing Socket.IO core maintainer; this transition from rauchg occurred in 2017 and is a well-documented legitimate handoff within the socketio org. | ai | |
| source-diff | net-exec-file:dist/engine.io.min.js | AI (source-diff): Same as engine.io.js — minified webpack bundle for browser distribution. Network + Function() pattern is inherent to this transport library's legitimate design. | ai | |
| source-diff | obfuscated-file:dist/engine.io.js | AI (source-diff): dist/engine.io.js is a standard webpack UMD bundle (browser distribution artifact) for this real-time transport library. Minified output is expected and documented via the build script. | ai | |
| phantom-deps | phantom-dep:base64-arraybuffer | AI (phantom-deps): base64-arraybuffer is used in the bundled dist output; phantom-dep detection doesn't account for webpack-bundled usage patterns in browser builds. | ai | |
| source-diff | net-exec-file:dist/engine.io.js | AI (source-diff): Network calls are the library's core purpose (XHR/WebSocket transports); Function('return this')() is webpack's standard global detection idiom, not malicious code execution. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher changed to GitHub Actions with SLSA provenance attestation — this reflects a legitimate CI/CD migration for the official Socket.IO project, not a compromise. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): Added deps (component-emitter, component-inherit, has-cors, indexof, parseqs, parseuri, yeast) are the canonical v3.x dependencies for the Socket.IO ecosystem, not suspicious additions. | ai | |
| source-diff | net-exec-file:engine.io.js | AI (source-diff): engine.io.js is the standard webpack browser bundle for engine.io-client v3.x. Network calls are WebSocket/XHR transport code; dynamic execution is webpack's __webpack_require__ module loader — not malicious. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): The new Function() call is a standard JSON parsing fallback with regex validation guards, not arbitrary code execution. Stable pattern in this package's bundled output. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance; absence is expected for this age and publisher. Not a risk signal for this package. | ai | |
| dependencies | unvetted-dep:component-inherit | AI (dependencies): component-inherit is a foundational utility; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:yeast | AI (dependencies): yeast is a small, well-known utility library; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:xmlhttprequest-ssl | AI (dependencies): xmlhttprequest-ssl is a known polyfill; stable dependency for this package. | ai |
Versions (showing 84 of 84)
| Version | Deps | Published |
|---|---|---|
| 6.6.5 | 5 / 0 | |
| 6.6.4 | 5 / 0 | |
| 6.6.3 | 5 / 0 | |
| 6.6.2 | 5 / 0 | |
| 6.6.1 | 5 / 0 | |
| 6.6.0 | 5 / 30 | |
| 6.5.4 | 5 / 29 | |
| 6.5.3 | 5 / 29 | |
| 6.5.2 | 5 / 29 | |
| 6.5.1 | 5 / 29 | |
| 6.5.0 | 5 / 29 | |
| 6.4.0 | 5 / 27 | |
| 6.3.1 | 5 / 27 | |
| 6.3.0 | 5 / 27 | |
| 6.2.3 | 5 / 27 | |
| 6.2.2 | 5 / 27 | |
| 6.2.1 | 5 / 27 | |
| 6.2.0 | 5 / 27 | |
| 6.1.1 | 9 / 27 | |
| 6.1.0 | 9 / 27 | |
| 6.0.3 | 9 / 27 | |
| 6.0.2 | 9 / 27 | |
| 6.0.1 | 9 / 27 | |
| 6.0.0 | 9 / 27 | |
| 5.2.0 | 10 / 22 | |
| 5.1.2 | 9 / 20 | |
| 5.1.1 | 9 / 20 | |
| 5.1.0 | 9 / 20 | |
| 5.0.1 | 9 / 20 | |
| 5.0.0 | 9 / 20 | |
| 4.1.4 | 10 / 20 | |
| 4.1.3 | 10 / 20 | |
| 4.1.2 | 10 / 20 | |
| 4.1.1 | 10 / 20 | |
| 4.1.0 | 10 / 20 | |
| 4.0.6 | 10 / 20 | |
| 4.0.5 | 10 / 20 | |
| 4.0.4 | 10 / 20 | |
| 4.0.3 | 10 / 20 | |
| 4.0.2 | 10 / 20 | |
| 4.0.1 | 10 / 20 | |
| 4.0.0 | 10 / 20 | |
| 3.5.4 | 11 / 26 | |
| 3.5.3 | 11 / 26 | |
| 3.5.2 | 11 / 26 | |
| 3.5.1 | 11 / 26 | |
| 3.5.0 | 11 / 26 | |
| 3.4.4 | 11 / 26 | |
| 3.4.3 | 11 / 26 | |
| 3.4.2 | 11 / 26 | |
| 3.4.1 | 11 / 26 | |
| 3.4.0 | 11 / 26 | |
| 3.3.3 | 11 / 26 | |
| 3.3.2 | 11 / 26 | |
| 3.3.1 | 11 / 26 | |
| 3.3.0 | 11 / 26 | |
| 3.2.1 | 11 / 27 | |
| 3.2.0 | 11 / 27 | |
| 3.1.6 | 11 / 26 | |
| 3.1.5 | 11 / 26 | |
| 3.1.4 | 11 / 26 | |
| 3.1.3 | 11 / 26 | |
| 3.1.2 | 11 / 26 | |
| 3.1.1 | 12 / 26 | |
| 3.1.0 | 12 / 26 | |
| 3.0.0 | 12 / 26 | |
| 2.1.1 | 12 / 26 | |
| 2.1.0 | 12 / 26 | |
| 2.0.2 | 12 / 26 | |
| 2.0.1 | 12 / 26 | |
| 2.0.0 | 12 / 26 | |
| 1.8.6 | 12 / 26 | |
| 1.8.5 | 12 / 26 | |
| 1.8.4 | 12 / 26 | |
| 1.8.3 | 12 / 26 | |
| 1.8.2 | 12 / 26 | |
| 1.8.1 | 12 / 26 | |
| 1.8.0 | 12 / 26 | |
| 1.7.2 | 12 / 26 | |
| 1.7.1 | 12 / 26 | |
| 1.7.0 | 12 / 26 | |
| 1.6.11 | 12 / 11 | |
| 1.6.10 | 12 / 11 | |
| 1.6.9 | 12 / 11 |
v6.6.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.6.4
2 findingsThis version was published by a different npm account than previous versions on 2025-12-23. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.6.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.6.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.6.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.5.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.5.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.2
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.6
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.5
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.4
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.3
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.2
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.4
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-04-05. This could indicate a legitimate maintainer transition or an account compromise.
v2.1.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-03-22. This could indicate a legitimate maintainer transition or an account compromise.
v2.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-03-11. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-02-16. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-01-30. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-01-22. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-02-16. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-12-10. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-11-27. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-11-20. This could indicate a legitimate maintainer transition or an account compromise.
v1.7.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-10-23. This could indicate a legitimate maintainer transition or an account compromise.
v1.7.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-10-20. This could indicate a legitimate maintainer transition or an account compromise.
v1.7.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-10-05. This could indicate a legitimate maintainer transition or an account compromise.
v1.6.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.