lz4 — Greenflagged

LZ4 streaming compression and decompression

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

pierrec

Keywords

lz4compressiondecompressionstream

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
install-scripts	install-script:install	AI (install-scripts): node-gyp rebuild is the standard install mechanism for native Node.js addons; lz4 is a native binding with gypfile:true.	ai	2026/04/23
npm-metadata	bundled-binaries	AI (npm-metadata): Bundled .o/.node files are build artifacts from the native lz4 binding; lz4c is the upstream CLI. Sloppy but not malicious.	ai	2026/04/23
phantom-deps	phantom-dep:nan	AI (phantom-deps): nan is consumed via node-gyp/binding.gyp, not require(); standard pattern for native addons.	ai	2026/04/23

Versions (showing 6 of 6)

Version	Deps	Published
0.6.5	4 / 11	2021-01-04
0.6.4	4 / 11	2020-06-26
0.5.1	3 / 11	2015-12-10
0.1.2	0 / 1	2013-09-09
0.0.2	1 / 1	2012-07-16
0.0.1	1 / 1	2012-07-10

v0.6.5

3 findings

HIGH Package has 'install' script install-scripts

Script: node-gyp rebuild

HIGH Bundled binary files (8) npm-metadata

Package contains compiled binaries that could be backdoors: • bin/lz4c • build/Release/lz4.node • build/Release/xxhash.node • build/Release/obj.target/lz4/lib/binding/lz4_binding.o • build/Release/obj.target/lz4/deps/lz4/lib/lz4.o • build/Release/obj.target/lz4/deps/lz4/lib/lz4hc.o • build/Release/obj.target/xxhash/lib/binding/xxhash_binding.o • build/Release/obj.target/xxhash/deps/lz4/lib/xxhash.o