msgpack-js-browser
A msgpack encoder and decoder using ArrayBuffer and DataView
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-takeover | AI (maintainer-change): Maintainer transition to creationix occurred in 2013 (11+ years ago). creationix is a well-known, highly trusted npm publisher. This is a historical, legitimate transfer, not a hijack. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change to creationix happened in 2013; creationix is a trusted, long-standing npm publisher with 891 approved packages. No ongoing risk. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers (fjakobs, creationix, sergi, janjongboom) were added in 2013 as part of a legitimate transfer to well-known ecosystem contributors. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Original maintainer cadorn was removed in 2013 as part of a legitimate, historical transfer. No ongoing risk. | ai |
v0.1.4
3 findingsAll previous maintainers (cadorn) were replaced by new maintainers (fjakobs, creationix, sergi, janjongboom). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2013-02-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.