memfs-browser
In-memory file-system with Node's fs API.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/memfs.esm.js | AI (source-diff): This is a bundled browser-compatible ESM build of memfs. The 'network+exec' pattern is the standard globalThis/window/global/self environment detection idiom in bundled output, not malicious network calls. | ai | |
| source-diff | net-exec-file:dist/memfs.esm.min.js | AI (source-diff): Minified ESM bundle of memfs for browsers. Same false-positive pattern as the unminified version — environment detection idiom, not dropper/loader behavior. | ai | |
| provenance | no-provenance | AI (provenance): Established package with 1280-day history and clean publisher track record. Lack of Sigstore provenance is acceptable for this package. | ai |
Versions (showing 16 of 16)
| Version | Deps | Published |
|---|---|---|
| 4.6.10002 | 1 / 13 | |
| 4.6.10001 | 1 / 13 | |
| 4.6.0 | 2 / 13 | |
| 3.5.10302 | 1 / 13 | |
| 3.5.10301 | 1 / 13 | |
| 3.5.3 | 2 / 13 | |
| 3.4.13001 | 2 / 13 | |
| 3.4.13000 | 2 / 13 | |
| 3.4.11000 | 2 / 13 | |
| 3.4.10900 | 2 / 15 | |
| 3.4.10801 | 2 / 15 | |
| 3.4.10800 | 1 / 16 | |
| 3.4.10703 | 1 / 16 | |
| 3.4.10702 | 1 / 16 | |
| 3.4.10701 | 1 / 16 | |
| 3.4.10700 | 1 / 9 |
v4.6.10002
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.10001
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.10302
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.10301
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.13001
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.13000
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.11000
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.10900
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.10801
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.10800
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.10703
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.10702
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.10701
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.10700
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.