node-notifier
A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)
1
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
mikaelb
Keywords
notification centermac os x 10.8notifyterminal-notifiernotify-sendgrowlwindows 8 notificationtoasternotification
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | bundled-binaries | AI (npm-metadata): Bundled binaries (terminal-notifier, notifu, snoretoast) are the core native notification helpers this package has always shipped; they are well-known open-source tools, not backdoors. | ai | |
| semgrep | semgrep:child-process-exec | AI (semgrep): cp.exec() is the fundamental mechanism for invoking native notification binaries; this is the package's documented design, not malicious behavior. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process import is required to spawn native notification binaries; expected and stable for this package. | ai | |
| dependencies | unvetted-dep:shellwords | AI (dependencies): shellwords is used to safely escape shell arguments before passing to exec; appropriate dependency for this package's use case. | ai | |
| dependencies | unvetted-dep:growly | AI (dependencies): growly is the Growl fallback notifier, a documented feature of node-notifier; expected dependency. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 10.0.1 | 6 / 14 |