fbjs
A collection of utility libraries used by other Facebook JS projects
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Missing gitHead is explained by the legitimate publisher transition from fb to cpojer account during a major version bump; not indicative of malicious activity for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 21 new files is consistent with a major version bump (v0.8.17 → v3.0.0) restructuring the fbjs utility library; no malicious content indicated. | ai | |
| source-diff | obfuscated-file:lib/UnicodeBidi.js | AI (source-diff): Long lines are Unicode character range strings for the Bidirectional Algorithm implementation — data-dense but not obfuscated. Legitimate Facebook OSS code with proper copyright headers. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): setimmediate is a canonical, well-established polyfill; its addition to fbjs is benign and expected for cross-environment utility library. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer changes on fbjs reflect normal Facebook/Meta team rotation among known engineers; not indicative of a takeover. | ai | |
| provenance | no-provenance | AI (provenance): Package was published in 2016, well before Sigstore provenance was available on npm. Not a meaningful risk signal for this era. | ai | |
| provenance | publisher-changed | AI (provenance): zpao is a well-known Facebook engineer with a strong npm track record; the yungsters→zpao transition is a documented legitimate Facebook team handoff. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers (josephsavona, steveluscher, wincent, yuzhi) are known Facebook engineers; this reflects a legitimate team expansion, not a compromise. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): fbjs 0.0.0 is a legitimate namespace reservation stub by a trusted Meta/Facebook publisher (zpao). The 0.0.0 version is a well-known pattern for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): fbjs is a well-established package with 26 approved-dep edges and a trusted publisher. The stub 0.0.0 version naturally lacks metadata/deps; this is a namespace reservation, not spam. | ai | |
| dependencies | unvetted-dep:fbjs-css-vars | AI (dependencies): fbjs-css-vars is a companion fbjs utility; appropriate dependency. | ai | |
| dependencies | unvetted-dep:cross-fetch | AI (dependencies): cross-fetch is a standard polyfill for fetch API; appropriate for fbjs utility library. | ai | |
| phantom-deps | phantom-dep:promise | AI (phantom-deps): fbjs uses promise as a polyfill dependency for browser environments; not directly imported in source is expected for this multi-environment utility library. | ai | |
| dependencies | unvetted-dep:setimmediate | AI (dependencies): setimmediate is a stable, well-known polyfill; reasonable version constraint for fbjs. | ai | |
| dependencies | unvetted-dep:ua-parser-js | AI (dependencies): ua-parser-js is a standard user-agent parsing library; appropriate for fbjs utility collection. | ai | |
| phantom-deps | phantom-dep:object-assign | AI (phantom-deps): object-assign is a polyfill used conditionally in fbjs for older environments; phantom detection is a known false positive. | ai | |
| phantom-deps | phantom-dep:ua-parser-js | AI (phantom-deps): ua-parser-js usage in fbjs is environment-conditional; phantom detection is a known false positive for this package. | ai | |
| phantom-deps | phantom-dep:setimmediate | AI (phantom-deps): setimmediate is a browser polyfill; phantom detection is expected for fbjs's multi-environment design. | ai | |
| phantom-deps | phantom-dep:cross-fetch | AI (phantom-deps): cross-fetch is a fetch polyfill used by fbjs for browser/Node compatibility; phantom detection is expected given conditional environment-based usage. | ai | |
| phantom-deps | phantom-dep:fbjs-css-vars | AI (phantom-deps): fbjs-css-vars is a sibling Facebook package used conditionally; phantom detection is expected for fbjs's design. | ai | |
| typosquat | typosquat.levenshtein:rxjs | AI (typosquat): fbjs is an established Facebook brand with 3967 days history; no confusion or typosquat risk. | ai | |
| phantom-deps | phantom-dep:loose-envify | AI (phantom-deps): loose-envify is properly declared and used in browserify configuration; not a phantom dependency. | ai |
Versions (showing 40 of 40)
| Version | Deps | Published |
|---|---|---|
| 3.0.5 | 7 / 12 | |
| 3.0.4 | 7 / 12 | |
| 3.0.3 | 7 / 12 | |
| 3.0.2 | 7 / 12 | |
| 3.0.1 | 7 / 12 | |
| 3.0.0 | 7 / 12 | |
| 2.0.0 | 8 / 12 | |
| 1.0.0 | 8 / 13 | |
| 0.8.18 | 7 / 14 | |
| 0.8.17 | 7 / 14 | |
| 0.8.16 | 7 / 14 | |
| 0.8.15 | 7 / 14 | |
| 0.8.14 | 7 / 14 | |
| 0.8.13 | 7 / 14 | |
| 0.8.12 | 7 / 14 | |
| 0.8.11 | 7 / 14 | |
| 0.8.10 | 7 / 14 | |
| 0.8.9 | 7 / 14 | |
| 0.8.8 | 7 / 14 | |
| 0.8.7 | 7 / 14 | |
| 0.8.6 | 6 / 14 | |
| 0.8.5 | 7 / 13 | |
| 0.8.4 | 7 / 13 | |
| 0.8.3 | 7 / 13 | |
| 0.8.2 | 5 / 14 | |
| 0.8.1 | 6 / 37 | |
| 0.8.0 | 6 / 37 | |
| 0.7.2 | 5 / 14 | |
| 0.7.1 | 5 / 14 | |
| 0.7.0 | 5 / 14 | |
| 0.6.1 | 5 / 14 | |
| 0.6.0 | 5 / 14 | |
| 0.5.1 | 5 / 13 | |
| 0.5.0 | 5 / 13 | |
| 0.4.0 | 5 / 13 | |
| 0.3.2 | 5 / 13 | |
| 0.3.1 | 4 / 13 | |
| 0.2.1 | 3 / 11 | |
| 0.2.0 | 3 / 11 | |
| 0.0.0 | 0 / 0 |
v3.0.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: bigfootjon.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-10. This could indicate a legitimate maintainer transition or an account compromise.
v3.0.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zpao.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cpojer.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-10-07. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zpao.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-07-30. This could indicate a legitimate maintainer transition or an account compromise.
v1.0.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jstejada.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-09-18. This could indicate a legitimate maintainer transition or an account compromise.
v0.8.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.17
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-06-12. This could indicate a legitimate maintainer transition or an account compromise.
v0.8.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.4
2 findingsThis version was published by a different npm account than previous versions on 2016-08-19. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.3
2 findingsThis version was published by a different npm account than previous versions on 2016-05-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.2
2 findingsThis version was published by a different npm account than previous versions on 2016-05-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.1
2 findingsThis version was published by a different npm account than previous versions on 2016-04-18. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
2 findingsThis version was published by a different npm account than previous versions on 2016-04-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.2
2 findingsThis version was published by a different npm account than previous versions on 2016-02-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
2 findingsThis version was published by a different npm account than previous versions on 2016-02-02. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
2 findingsThis version was published by a different npm account than previous versions on 2016-01-27. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
2 findingsThis version was published by a different npm account than previous versions on 2016-01-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
2 findingsThis version was published by a different npm account than previous versions on 2015-12-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.