fb-watchman Apache-2.0 17 versions

fb-watchman

npm Repository Homepage

Bindings for the Watchman file watching service

17

Versions

Apache-2.0

License

No

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

wezbolinfestfbkassensfanzeyi

Keywords

facebookwatchmanfilewatchwatcherwatchingfs.watchfswatcherfsglobutility

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	suspicious-initial-version	AI (npm-metadata): 0.0.0 is the legitimate initial release of fb-watchman by a verified Facebook engineer, published over 11 years ago. Not a malicious throwaway package.	ai	2026/04/23
semgrep	semgrep:child-process-exec	AI (semgrep): fb-watchman must exec the watchman CLI to discover its socket; child_process.exec is core to its documented functionality, not a risk.	ai	2026/04/23
semgrep	semgrep:child-process-spawn	AI (semgrep): Spawning the watchman binary is the package's primary purpose; this is expected and benign for all versions.	ai	2026/04/21
semgrep	semgrep:child-process-import	AI (semgrep): child_process import is required for watchman CLI invocation; stable and expected for this package across all versions.	ai	2026/04/21

Versions (showing 17 of 17)

Version	Deps	Published
2.0.2	1 / 0	2022-09-21
2.0.1	1 / 0	2019-12-06
2.0.0	1 / 0	2017-01-30
1.9.2	1 / 0	2017-01-27
1.9.1	1 / 0	2017-01-27
1.9.0	1 / 0	2016-01-27
1.8.0	1 / 0	2016-01-14
1.7.0	1 / 0	2016-01-04
1.6.0	1 / 0	2015-08-25
1.5.0	1 / 0	2015-08-16
1.4.0	1 / 0	2015-08-16
1.3.0	1 / 0	2015-08-16
1.2.0	1 / 0	2015-07-11
1.1.0	1 / 0	2015-06-25
1.0.0	0 / 0	2015-06-23
0.0.1	2 / 0	2015-03-06
0.0.0	2 / 0	2014-11-03

v2.0.2

2 findings

HIGH Publisher changed: wez → bolinfest (on 2022-09-21) provenance

This version was published by a different npm account than previous versions on 2022-09-21. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.8.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.7.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.