← Home

hiredis

npm Repository Homepage

Wrapper for reply processing code in hiredis

17
Versions
BSD-3-Clause
License
Yes
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

pieternbadboy_

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern new-deps-added AI (publish-pattern): nan and bindings are canonical native-addon dependencies; their addition reflects a standard Node.js native binding refactor, not a supply-chain attack vector. ai
provenance no-provenance AI (provenance): Package is 15+ years old; lack of Sigstore provenance is expected for legacy packages and not a meaningful risk signal here. ai
npm-metadata bundled-binaries AI (npm-metadata): Binaries are hiredis-example and hiredis-test from the vendored upstream hiredis C library source tree — standard build artifacts, not backdoors. ai
typosquat typosquat.levenshtein:redis AI (typosquat): hiredis is the canonical name of the upstream C library this package wraps; not a typosquat of 'redis'. The name is intentional and well-established in the ecosystem. ai
install-scripts install-script:preinstall AI (install-scripts): Preinstall script compiles the bundled hiredis C library and native Node.js addon using node-waf — standard native binding build pattern for this package. ai
install-scripts install-script:install AI (install-scripts): hiredis is a native C addon; node-gyp rebuild is the standard and expected install script for compiling the binding. Stable for this package. ai
phantom-deps phantom-dep:nan AI (phantom-deps): nan is a native addon build dependency used in binding.gyp/C++ headers, not imported in JS. This is expected for native bindings and stable for this package. ai

Versions (showing 17 of 17)

Version Deps Published
0.5.0 2 / 0
0.4.1 2 / 0
0.4.0 2 / 0
0.3.0 2 / 0
0.1.14 0 / 0
0.1.13 0 / 0
0.1.12 0 / 0
0.1.10 0 / 0
0.1.9 0 / 0
0.1.8 0 / 0
0.1.6 0 / 0
0.1.5 0 / 0
0.1.4 0 / 0
0.1.3 0 / 0
0.1.2 0 / 0
0.1.1 0 / 0
0.1.0 0 / 0

v0.5.0

2 findings
HIGH Package has 'install' script install-scripts

Script: node-gyp rebuild

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.14

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.13

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.12

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.10

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.9

2 findings
HIGH Bundled binary files (2) npm-metadata

Package contains compiled binaries that could be backdoors: • deps/hiredis/hiredis-example • deps/hiredis/hiredis-test

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.6

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.1

2 findings
HIGH Package has 'preinstall' script install-scripts

Script: cd deps/hiredis && make static && cd ../.. && node-waf configure build

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.