libnpx
support library for npx -- an tool for executing npm-based packages.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-takeover | AI (maintainer-change): Legitimate transfer from original author (zkat) to the official npm CLI team (isaacs et al.) when npx was absorbed into npm org. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): zkat's removal is part of the known npm org transition; the new maintainers are the official npm CLI team. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): win-term-size.exe is a vendored binary from term-size dependency, used for terminal dimension detection on Windows. Expected for this package. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance; publisher is a well-established npm maintainer. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Used for update-notifier with argv.npxPkg; standard CLI tool pattern. | ai | |
| bogus-package | bogus-package | AI (bogus-package): isaacs flagged as spam is a clear false positive (npm creator). README link-dump is normal for npm tooling docs. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): mylesborins is a well-known Node.js TSC member; legitimate maintainer addition for npm org package. | ai | |
| provenance | publisher-changed | AI (provenance): isaacs → claudiahdz is a known npm CLI team handoff; both are well-known npm/GitHub employees. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): libnpx's core purpose is executing npm packages via child_process; expected and necessary. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): spawn() is core functionality for a package executor tool. | ai | |
| semgrep | semgrep:child-process-exec | AI (semgrep): exec() is core functionality for a package executor tool. | ai |
Versions (showing 32 of 32)
| Version | Deps | Published |
|---|---|---|
| 11.0.0 | 8 / 13 | |
| 10.2.4 | 8 / 11 | |
| 10.2.3 | 8 / 11 | |
| 10.2.2 | 8 / 13 | |
| 10.2.1 | 8 / 13 | |
| 10.2.0 | 8 / 13 | |
| 10.1.1 | 8 / 13 | |
| 10.0.1 | 8 / 13 | |
| 10.0.0 | 8 / 13 | |
| 9.7.1 | 8 / 13 | |
| 9.7.0 | 8 / 13 | |
| 9.6.0 | 8 / 13 | |
| 9.5.0 | 8 / 13 | |
| 9.4.1 | 8 / 13 | |
| 9.4.0 | 8 / 13 | |
| 9.3.2 | 8 / 13 | |
| 9.3.1 | 8 / 13 | |
| 9.3.0 | 8 / 13 | |
| 9.2.3 | 8 / 13 | |
| 9.2.2 | 8 / 13 | |
| 9.2.1 | 8 / 13 | |
| 9.2.0 | 8 / 13 | |
| 9.1.0 | 8 / 13 | |
| 9.0.7 | 8 / 13 | |
| 9.0.6 | 8 / 13 | |
| 9.0.5 | 8 / 13 | |
| 9.0.4 | 8 / 13 | |
| 9.0.3 | 8 / 13 | |
| 9.0.2 | 8 / 13 | |
| 9.0.1 | 8 / 13 | |
| 9.0.0 | 8 / 13 | |
| 8.1.1 | 8 / 12 |
v11.0.0
3 findingsAll previous maintainers (zkat) were replaced by new maintainers (adam_baldwin, ahmadnassri, claudiahdz, darcyclarke, isaacs, mikemimik, ruyadorno). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-01-17. This could indicate a legitimate maintainer transition or an account compromise.
v10.2.4
2 findingsThis version was published by a different npm account than previous versions on 2020-07-20. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.1
2 findingsPackage contains compiled binaries that could be backdoors: • node_modules/term-size/vendor/win-term-size.exe
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.