iltorb
Brotli compression/decompression with native bindings
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): oohnoitz (Hung Tran) is a listed contributor; co-maintainer publishing since 2017 with strong track record (63 approved, 0 rejected). | ai | |
| phantom-deps | phantom-dep:node-pre-gyp | AI (phantom-deps): iltorb is a native binding; node-pre-gyp is the standard tool for fetching/building prebuilt binaries and is always an implicit runtime dependency for this package. | ai | |
| phantom-deps | phantom-dep:prebuild-install | AI (phantom-deps): prebuild-install is the standard prebuilt binary fetcher for native addons; used in install script, not a direct JS import. | ai | |
| phantom-deps | phantom-dep:detect-libc | AI (phantom-deps): detect-libc is used in the install script and binding config for native addon toolchain; not a direct JS import by design. | ai | |
| provenance | no-provenance | AI (provenance): iltorb is a long-established package (3840 days) with a consistent publisher track record; lack of Sigstore provenance is not a risk signal here. | ai | |
| phantom-deps | phantom-dep:node-gyp | AI (phantom-deps): node-gyp is a well-known implicit dependency for native Node.js addons; its presence here is expected and benign. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is used in a CI build script (prebuild-ci) to compile native binaries — standard and expected for a native Node.js addon. | ai | |
| dependencies | unvetted-dep:detect-libc | AI (dependencies): detect-libc is a standard, well-known npm utility for detecting Linux C library; its use in iltorb for prebuilt binary selection is legitimate and expected. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): detect-libc addition is a legitimate platform-detection dependency for native binary selection; not a suspicious supply-chain addition. | ai | |
| install-scripts | install-script:install | AI (install-scripts): Standard native binding install: prebuild-install fetches prebuilt binaries, falls back to node-gyp. Documented pattern for iltorb. | ai | |
| phantom-deps | phantom-dep:nan | AI (phantom-deps): nan is a C++ addon helper referenced in binding.gyp for native compilation, not directly imported in JS. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Deterministic require of ../package.json via path.resolve; not arbitrary module loading. | ai |
v1.3.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.9
2 findingsThis version was published by a different npm account than previous versions on 2017-10-09. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.