gear
Gear.js - Build System for Node.js and the Browser
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:build/gear.js | AI (source-diff): File is RequireJS 2.0.2 bundled as a build artifact for this Yahoo build system. Network+exec pattern is RequireJS's documented AMD module loading behavior, not malware. | ai | |
| source-diff | net-exec-file:build/gear.min.js | AI (source-diff): Minified RequireJS 2.0.2 build artifact. Same false-positive rationale as gear.js — AMD loader pattern, not dropper malware. | ai | |
| source-diff | net-exec-file:lib-cov/jscoverage.js | AI (source-diff): This is the GPL-licensed JSCoverage client reporting library. Network calls are XHR for coverage data; eval() is a legacy JSON-parse fallback. Not malicious. | ai | |
| source-diff | obfuscated-file:lib-cov/blob.js | AI (source-diff): JSCoverage auto-generated instrumentation file; long lines are coverage counters, not obfuscation. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:lib-cov/tasks/core.js | AI (source-diff): JSCoverage auto-generated instrumentation file; long lines are coverage counters, not obfuscation. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:lib-cov/registry.js | AI (source-diff): JSCoverage auto-generated instrumentation file; long lines are coverage counters, not obfuscation. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:lib-cov/tasks/tasks.js | AI (source-diff): JSCoverage auto-generated instrumentation file; long lines are coverage counters, not obfuscation. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:lib-cov/queue.js | AI (source-diff): JSCoverage auto-generated instrumentation file; long lines are coverage counters, not obfuscation. Stable false positive for this package. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in lib-cov/jscoverage.js is JSCoverage's legacy JSON.parse fallback for old browsers. Benign and stable for this package. | ai | |
| source-diff | net-exec-file:vendor/require.js | AI (source-diff): vendor/require.js is RequireJS 2.0.2, a well-known AMD module loader. Its network+eval patterns are inherent to its design, not malicious. Safe to suppress for this package. | ai | |
| source-diff | encoded-string-file:build/gear.js | AI (source-diff): Long strings are Diffie-Hellman modp prime constants (RFC 3526) embedded in a browserified crypto bundle — not obfuscated payloads. Stable false positive for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Standard CLI pattern: load local gear install if available, fall back to global. Source is public on GitHub and clearly non-malicious. | ai | |
| source-diff | encoded-string-file:build/gear.min.js | AI (source-diff): Same as gear.js — minified browserify bundle containing DH prime constants and standard crypto code. Not a malicious payload. | ai |
Versions (showing 51 of 66)
| Version | Deps | Published |
|---|---|---|
| 0.9.7 | 4 / 6 | |
| 0.9.6 | 4 / 6 | |
| 0.9.5 | 4 / 6 | |
| 0.9.4 | 4 / 6 | |
| 0.9.3 | 4 / 6 | |
| 0.9.2 | 4 / 6 | |
| 0.9.1 | 3 / 6 | |
| 0.9.0 | 2 / 5 | |
| 0.8.18 | 2 / 5 | |
| 0.8.17 | 2 / 5 | |
| 0.8.16 | 2 / 5 | |
| 0.8.15 | 2 / 5 | |
| 0.8.14 | 2 / 5 | |
| 0.8.13 | 2 / 5 | |
| 0.8.12 | 2 / 5 | |
| 0.8.11 | 2 / 5 | |
| 0.8.10 | 2 / 5 | |
| 0.8.9 | 2 / 5 | |
| 0.8.8 | 2 / 5 | |
| 0.8.7 | 2 / 5 | |
| 0.8.6 | 2 / 5 | |
| 0.8.5 | 2 / 5 | |
| 0.8.4 | 2 / 5 | |
| 0.8.3 | 2 / 3 | |
| 0.8.2 | 2 / 3 | |
| 0.8.1 | 2 / 3 | |
| 0.7.16 | 2 / 3 | |
| 0.7.15 | 2 / 3 | |
| 0.7.14 | 2 / 3 | |
| 0.7.13 | 2 / 3 | |
| 0.7.12 | 2 / 3 | |
| 0.7.11 | 2 / 3 | |
| 0.7.10 | 2 / 3 | |
| 0.7.9 | 2 / 3 | |
| 0.7.8 | 2 / 3 | |
| 0.7.7 | 2 / 3 | |
| 0.7.6 | 2 / 3 | |
| 0.7.5 | 2 / 3 | |
| 0.7.4 | 2 / 3 | |
| 0.7.3 | 2 / 3 | |
| 0.7.2 | 2 / 3 | |
| 0.7.1 | 2 / 3 | |
| 0.7.0 | 2 / 3 | |
| 0.6.1 | 2 / 3 | |
| 0.6.0 | 2 / 3 | |
| 0.5.0 | 2 / 3 | |
| 0.4.5 | 2 / 3 | |
| 0.4.4 | 2 / 3 | |
| 0.4.3 | 2 / 3 | |
| 0.4.2 | 2 / 3 | |
| 0.4.1 | 2 / 2 |
v0.9.7
3 findingsModified file contains 7 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 7 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.4
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.3
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.2
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.9
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.8
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.7
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.6
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.5
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.