esbuild-wasm — Greenflagged

The cross-platform WebAssembly binary for esbuild, a JavaScript bundler.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

esbuild

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	bundled-binaries	AI (npm-metadata): The .node files are esbuild's compiled native binaries, a core part of its documented distribution. Expected for all esbuild-wasm versions.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): Publisher changed from evanw to GitHub Actions as part of CI/CD migration. SLSA provenance attestation confirms builds originate from the official evanw/esbuild repository.	ai	2026/04/24
maintainer-change	maintainer-takeover	AI (maintainer-change): esbuild migrated publishing to GitHub Actions CI/CD with SLSA provenance attestation. The repo URL remains evanw/esbuild; this is a documented supply chain improvement, not a hijack.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): New maintainer 'esbuild' is the project's own npm org account, consistent with a legitimate organizational migration.	ai	2026/04/24
maintainer-change	maintainer-removed	AI (maintainer-change): evanw removed in favor of the project's org account and CI publishing; consistent with the documented migration pattern.	ai	2026/04/24
semgrep	semgrep:new-function-constructor	AI (semgrep): new Function() is esbuild-wasm's documented main-thread worker fallback for WASM execution. Stable pattern across all versions of this package.	ai	2026/04/24
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get() is part of the Go/WASM syscall/js runtime bridge in esbuild-wasm's browser bundle — standard boilerplate, not obfuscation.	ai	2026/04/23
semgrep	semgrep:child-process-spawn	AI (semgrep): spawn() is used to launch the esbuild service binary with --service and --ping flags — the canonical esbuild IPC protocol, not malicious.	ai	2026/04/23
bogus-package	bogus-package	AI (bogus-package): esbuild-wasm is a compiled WASM distribution package; no deps, minimal README, and no keywords are all expected for this type of artifact package.	ai	2026/04/23
semgrep	semgrep:child-process-import	AI (semgrep): esbuild-wasm's Node.js API spawns the esbuild binary as a service process; child_process usage is documented and expected for this package.	ai	2026/04/23

Versions (showing 100 of 488)

Version	Deps	Published
0.28.0	0 / 0	2026-04-02
0.27.7	0 / 0	2026-04-02
0.27.5	0 / 0	2026-04-02
0.27.4	0 / 0	2026-03-12
0.27.3	0 / 0	2026-02-05
0.27.2	0 / 0	2025-12-17
0.27.1	0 / 0	2025-12-03
0.27.0	0 / 0	2025-11-09
0.26.0	0 / 0	2025-11-09
0.25.12	0 / 0	2025-11-01
0.25.11	0 / 0	2025-10-15
0.25.10	0 / 0	2025-09-17
0.25.9	0 / 0	2025-08-12
0.25.8	0 / 0	2025-07-19
0.25.7	0 / 0	2025-07-18
0.25.6	0 / 0	2025-07-07
0.25.5	0 / 0	2025-05-27
0.25.4	0 / 0	2025-05-06
0.25.3	0 / 0	2025-04-23
0.25.2	0 / 0	2025-03-30
0.25.1	0 / 0	2025-03-10
0.25.0	0 / 0	2025-02-08
0.24.2	0 / 0	2024-12-20
0.24.1	0 / 0	2024-12-20
0.24.0	0 / 0	2024-09-22
0.23.1	0 / 0	2024-08-16
0.23.0	0 / 0	2024-07-02
0.22.0	0 / 0	2024-06-30
0.21.5	0 / 0	2024-06-09
0.21.4	0 / 0	2024-05-25
0.21.3	0 / 0	2024-05-15
0.21.2	0 / 0	2024-05-12
0.21.1	0 / 0	2024-05-07
0.21.0	0 / 0	2024-05-07
0.20.2	0 / 0	2024-03-14
0.20.1	0 / 0	2024-02-19
0.20.0	0 / 0	2024-01-27
0.19.12	0 / 0	2024-01-23
0.19.11	0 / 0	2023-12-29
0.19.10	0 / 0	2023-12-19
0.19.9	0 / 0	2023-12-10
0.19.8	0 / 0	2023-11-26
0.19.7	0 / 0	2023-11-21
0.19.6	0 / 0	2023-11-19
0.19.5	0 / 0	2023-10-17
0.19.4	0 / 0	2023-09-28
0.19.3	0 / 0	2023-09-14
0.19.2	0 / 0	2023-08-14
0.19.1	0 / 0	2023-08-11
0.19.0	0 / 0	2023-08-08
0.18.20	0 / 0	2023-08-08
0.18.19	0 / 0	2023-08-07
0.18.18	0 / 0	2023-08-05
0.18.17	0 / 0	2023-07-26
0.18.16	0 / 0	2023-07-23
0.18.15	0 / 0	2023-07-20
0.18.14	0 / 0	2023-07-18
0.18.13	0 / 0	2023-07-15
0.18.12	0 / 0	2023-07-13
0.18.11	0 / 0	2023-07-01
0.18.10	0 / 0	2023-06-26
0.18.9	0 / 0	2023-06-26
0.18.8	0 / 0	2023-06-25
0.18.7	0 / 0	2023-06-24
0.18.6	0 / 0	2023-06-20
0.18.5	0 / 0	2023-06-20
0.18.4	0 / 0	2023-06-16
0.18.3	0 / 0	2023-06-15
0.18.2	0 / 0	2023-06-13
0.18.1	0 / 0	2023-06-12
0.18.0	0 / 0	2023-06-09
0.17.19	0 / 0	2023-05-13
0.17.18	0 / 0	2023-04-22
0.17.17	0 / 0	2023-04-16
0.17.16	0 / 0	2023-04-10
0.17.15	0 / 0	2023-04-01
0.17.14	0 / 0	2023-03-26
0.17.13	0 / 0	2023-03-24
0.17.12	0 / 0	2023-03-17
0.17.11	0 / 0	2023-03-03
0.17.10	0 / 0	2023-02-20
0.17.9	0 / 0	2023-02-19
0.17.8	0 / 0	2023-02-13
0.17.7	0 / 0	2023-02-09
0.17.6	0 / 0	2023-02-06
0.17.5	0 / 0	2023-01-27
0.17.4	0 / 0	2023-01-22
0.17.3	0 / 0	2023-01-18
0.17.2	0 / 0	2023-01-17
0.17.1	0 / 0	2023-01-16
0.17.0	0 / 0	2023-01-14
0.16.17	0 / 0	2023-01-11
0.16.16	0 / 0	2023-01-08
0.16.15	0 / 0	2023-01-07
0.16.14	0 / 0	2023-01-04
0.16.13	0 / 0	2023-01-02
0.16.12	0 / 0	2022-12-28
0.16.11	0 / 0	2022-12-27
0.16.10	0 / 0	2022-12-19
0.16.9	0 / 0	2022-12-18

Showing 100 of 488 Next page →

v0.28.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.27.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.27.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.27.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.27.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.27.2

3 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (evanw) were replaced by new maintainers (esbuild). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: evanw → GitHub Actions (on 2025-12-17) provenance

This version was published by a different npm account than previous versions on 2025-12-17. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.27.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.27.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.26.0

3 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (evanw) were replaced by new maintainers (esbuild). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: evanw → GitHub Actions (on 2025-11-09) provenance

This version was published by a different npm account than previous versions on 2025-11-09. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.