← Home

gluejs

npm Repository Homepage

Build CommonJS modules for the browser via a chainable API

34
Versions
BSD-3-Clause
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

mixu

Keywords

browserrequirebundlecommonjsnpmmodulepackage

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff net-exec-file:lib/file-tasks/wrap-commonjs-web.js AI (source-diff): This file is a CommonJS-to-browser bundler transform. The eval is for sourceURL source-map support, not remote code execution. The 'network' signal is require('readable-stream'). Stable false positive for this build-tool package. ai
source-diff net-exec-file:test/node_modules/url/node_modules/punycode/vendor/qunit-clib/qunit-clib.js AI (source-diff): Vendored QUnit CLI boilerplate in test/node_modules — legitimate open-source testing utility, not runtime code, not malware. ai
source-diff net-exec-file:test/node_modules/url/node_modules/punycode/vendor/requirejs/require.js AI (source-diff): Vendored RequireJS 1.0.7 in test/node_modules — canonical AMD module loader, dynamic script loading is by design, not malicious. ai
source-diff large-new-source-files AI (source-diff): Size increase is entirely from vendored test dependencies (requirejs test suite, fonts) under test/node_modules — not injected runtime payload. ai
source-diff source-size-tripled AI (source-diff): 109x size increase is from vendored requirejs test fixtures and font files under test/node_modules, not runtime code changes. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require in bin/get.js loads a user-specified vendor config file via CLI argument — intentional build-tool behavior, not a security risk for this package. ai
semgrep semgrep:child-process-import AI (semgrep): child_process.spawn is used in a task-runner module for a build tool; standard and expected for a bundler that invokes external processes. ai

Versions (showing 34 of 34)

Version Deps Published
2.4.0 12 / 2
2.3.9 12 / 2
2.3.8 12 / 2
2.3.7 12 / 2
2.3.6 12 / 2
2.3.5 12 / 2
2.3.4 12 / 2
2.3.3 9 / 2
2.3.2 8 / 2
2.3.1 8 / 2
2.3.0 8 / 2
2.2.2 8 / 1
2.2.1 8 / 1
2.2.0 8 / 1
2.1.4 8 / 1
2.1.3 8 / 1
2.1.2 8 / 1
2.1.1 8 / 1
2.1.0 7 / 1
2.0.7 6 / 1
2.0.6 6 / 1
2.0.5 6 / 1
2.0.4 6 / 1
2.0.3 6 / 1
2.0.2 6 / 1
2.0.1 5 / 2
2.0.0 5 / 2
0.2.2 3 / 1
0.2.1 3 / 1
0.2.0 3 / 1
0.1.1 3 / 1
0.1.0 2 / 1
0.0.3 0 / 1
0.0.2 0 / 1

v2.4.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.7

3 findings
HIGH New file with network + code execution: test/node_modules/url/node_modules/punycode/vendor/qunit-clib/qunit-clib.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: test/node_modules/url/node_modules/punycode/vendor/requirejs/require.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.0

2 findings
HIGH New file with network + code execution: lib/file-tasks/wrap-commonjs-web.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.