mqtt
A library for the MQTT protocol
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): YoDaMa is a documented contributor to MQTT.js with a strong npm track record (530 approved packages). | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): worker-timers is an established package; new dependency in major version refactor is legitimate. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate maintainer transition from mcollina to YoDaMa (Microsoft contributor listed in package.json, known mqttjs maintainer). | ai | |
| dependencies | unvetted-dep:mqtt-connection | AI (dependencies): mqtt-connection is a companion package in the mqttjs ecosystem, maintained by the same team. Its use here is expected and stable across versions. | ai | |
| phantom-deps | phantom-dep:ws | AI (phantom-deps): ws is explicitly declared as a direct dependency in package.json for WebSocket transport; conditional/indirect import pattern is expected for this MQTT library. | ai | |
| dependencies | unvetted-dep:pump | AI (dependencies): pump is a well-known streaming utility; stable dependency for mqtt's stream handling. | ai | |
| dependencies | unvetted-dep:end-of-stream | AI (dependencies): end-of-stream is a well-known stream utility by the same author (matteo.collina); no security risk for this package. | ai | |
| dependencies | unvetted-dep:es6-map | AI (dependencies): es6-map is a long-standing polyfill package with no known security issues; acceptable dependency for mqtt. | ai | |
| provenance | no-provenance | AI (provenance): Established package from a reputable publisher; provenance attestation was not standard practice at the time of this version's publication. | ai | |
| phantom-deps | phantom-dep:mqtt | AI (phantom-deps): mqtt is declared and referenced in config; phantom status is expected for this package. | ai | |
| phantom-deps | phantom-dep:reinterval | AI (phantom-deps): Declared and referenced in config; phantom status is expected for this package. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding in ali.ts is legitimate MQTT protocol handling for Alibaba IoT, not payload obfuscation. | ai | |
| dependencies | unvetted-dep:worker-timers | AI (dependencies): worker-timers is a stable, established package; unvetted status does not indicate risk here. | ai | |
| phantom-deps | phantom-dep:@types/ws | AI (phantom-deps): Framework-scoped type package, loaded by convention; phantom status is expected. | ai | |
| phantom-deps | phantom-dep:@types/readable-stream | AI (phantom-deps): Framework-scoped type package, loaded by convention; phantom status is expected. | ai |
Versions (showing 51 of 65)
| Version | Deps | Published |
|---|---|---|
| 5.13.2 | 16 / 40 | |
| 5.13.0 | 14 / 42 | |
| 5.10.0 | 16 / 41 | |
| 5.5.5 | 17 / 41 | |
| 5.5.3 | 17 / 41 | |
| 5.5.1 | 17 / 41 | |
| 5.5.0 | 17 / 41 | |
| 5.3.1 | 16 / 41 | |
| 5.3.0 | 16 / 41 | |
| 5.2.2 | 17 / 42 | |
| 5.2.1 | 17 / 42 | |
| 5.2.0 | 16 / 42 | |
| 5.1.4 | 16 / 40 | |
| 5.1.3 | 16 / 40 | |
| 5.1.2 | 16 / 40 | |
| 5.1.1 | 16 / 40 | |
| 5.1.0 | 16 / 40 | |
| 5.0.5 | 16 / 40 | |
| 5.0.4 | 16 / 40 | |
| 5.0.3 | 14 / 42 | |
| 5.0.2 | 14 / 42 | |
| 5.0.1 | 14 / 42 | |
| 5.0.0 | 14 / 42 | |
| 4.3.8 | 17 / 24 | |
| 4.3.7 | 17 / 24 | |
| 4.3.6 | 17 / 24 | |
| 4.3.5 | 17 / 23 | |
| 4.3.4 | 17 / 23 | |
| 4.3.3 | 17 / 23 | |
| 4.3.2 | 17 / 23 | |
| 4.3.1 | 17 / 23 | |
| 4.3.0 | 18 / 23 | |
| 4.2.8 | 14 / 22 | |
| 4.2.7 | 14 / 22 | |
| 4.2.6 | 13 / 22 | |
| 4.2.5 | 13 / 22 | |
| 4.2.4 | 13 / 22 | |
| 4.2.3 | 13 / 22 | |
| 4.2.2 | 13 / 22 | |
| 4.2.1 | 16 / 23 | |
| 4.2.0 | 16 / 23 | |
| 4.1.0 | 16 / 23 | |
| 4.0.1 | 15 / 23 | |
| 4.0.0 | 15 / 23 | |
| 3.0.0 | 15 / 23 | |
| 2.18.9 | 14 / 23 | |
| 2.18.8 | 14 / 23 | |
| 2.18.7 | 14 / 23 | |
| 2.18.6 | 14 / 23 | |
| 2.18.5 | 14 / 23 | |
| 2.18.4 | 13 / 24 |
v4.3.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.7
2 findingsThis version was published by a different npm account than previous versions on 2022-03-16. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.6
2 findingsThis version was published by a different npm account than previous versions on 2022-02-17. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.5
2 findingsThis version was published by a different npm account than previous versions on 2022-02-07. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.4
2 findingsThis version was published by a different npm account than previous versions on 2022-01-06. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.3
2 findingsThis version was published by a different npm account than previous versions on 2022-01-05. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.2
2 findingsThis version was published by a different npm account than previous versions on 2021-12-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.1
2 findingsThis version was published by a different npm account than previous versions on 2021-12-24. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.0
2 findingsThis version was published by a different npm account than previous versions on 2021-12-22. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.8
2 findingsThis version was published by a different npm account than previous versions on 2021-06-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.7
2 findingsThis version was published by a different npm account than previous versions on 2021-06-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.6
2 findingsThis version was published by a different npm account than previous versions on 2020-11-25. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.5
2 findingsThis version was published by a different npm account than previous versions on 2020-11-12. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.4
2 findingsThis version was published by a different npm account than previous versions on 2020-10-30. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.3
2 findingsThis version was published by a different npm account than previous versions on 2020-10-27. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.2
2 findingsThis version was published by a different npm account than previous versions on 2020-10-27. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.1
2 findingsThis version was published by a different npm account than previous versions on 2020-08-24. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
2 findingsThis version was published by a different npm account than previous versions on 2020-08-12. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.18.9
2 findingsThis version was published by a different npm account than previous versions on 2021-08-04. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.18.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.18.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.18.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.18.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.18.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.