node-fork
Look-alike nodejs 0.6.x child_process.fork() function module for nodejs 0.4.x and 0.6.x
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:preinstall | AI (install-scripts): Preinstall compiles native bindings (createpair.<version>.node) — standard pattern for this era's native addon packages. Present across all versions. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): This package IS a child_process.fork() implementation; importing child_process is its core purpose, not a risk. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads version-specific native binding (createpair.<node_version>) — standard native addon pattern, not arbitrary module loading. | ai |
v0.4.2
3 findingsScript: bash ./install
Maintainer email 'sander at tolsma.net' uses domain 'sander at tolsma.net' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
2 findingsMaintainer email 'sander at tolsma.net' uses domain 'sander at tolsma.net' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.