node-pre-gyp
Node.js native addon binary install tool
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): hawk and detect-libc are legitimate, established packages appropriate for a native addon build tool. Addition is consistent with node-pre-gyp's documented functionality for binary selection and HTTP auth. | ai | |
| dependencies | unvetted-dep:detect-libc | AI (dependencies): detect-libc is a legitimate utility for detecting Linux C library; appropriate and expected dependency for a native addon build tool like node-pre-gyp. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is not yet standard practice; absence is not a security concern for this established package. | ai | |
| phantom-deps | phantom-dep:hawk | AI (phantom-deps): hawk is a transitive/config-level reference in node-pre-gyp, not a direct import; no security concern for this package. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): Test artifacts in test/ directory; expected for a build tool's test suite. | ai | |
| phantom-deps | phantom-dep:tape | AI (phantom-deps): tape is a test framework referenced in config; phantom-dep is expected for dev dependencies not directly imported in source. | ai | |
| dependencies | unvetted-dep:rc | AI (dependencies): rc is a well-known npm config library; unvetted status is a pipeline artifact. Stable false positive for this package. | ai | |
| dependencies | unvetted-dep:request | AI (dependencies): request is a known HTTP library dependency; appropriate for node-pre-gyp's remote binary fetching. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is essential for a native addon build tool; importing it is expected and necessary. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): child_process.spawn is expected for a native build tool that compiles C/C++ extensions; legitimate use case. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Reading npm_config_* environment variables is standard for build tools inheriting npm configuration. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads command modules from fixed local directory; this is node-pre-gyp's documented plugin architecture, not arbitrary code loading. | ai |
Versions (showing 33 of 33)
| Version | Deps | Published |
|---|---|---|
| 0.16.0 | 10 / 4 | |
| 0.15.0 | 10 / 4 | |
| 0.14.0 | 10 / 4 | |
| 0.11.0 | 10 / 4 | |
| 0.10.3 | 10 / 4 | |
| 0.10.2 | 10 / 5 | |
| 0.10.1 | 10 / 5 | |
| 0.9.1 | 10 / 5 | |
| 0.9.0 | 10 / 4 | |
| 0.6.39 | 11 / 4 | |
| 0.6.38 | 10 / 4 | |
| 0.6.37 | 10 / 3 | |
| 0.6.35 | 9 / 4 | |
| 0.6.30 | 9 / 4 | |
| 0.6.28 | 9 / 4 | |
| 0.6.26 | 9 / 4 | |
| 0.6.16 | 9 / 4 | |
| 0.6.14 | 9 / 4 | |
| 0.6.13 | 9 / 4 | |
| 0.6.10 | 9 / 4 | |
| 0.6.3 | 9 / 4 | |
| 0.6.0 | 9 / 2 | |
| 0.5.30 | 9 / 2 | |
| 0.5.28 | 9 / 2 | |
| 0.5.25 | 9 / 1 | |
| 0.5.19 | 9 / 1 | |
| 0.5.17 | 9 / 1 | |
| 0.5.1 | 9 / 0 | |
| 0.2.6 | 10 / 0 | |
| 0.2.1 | 10 / 0 | |
| 0.1.9 | 7 / 0 | |
| 0.1.8 | 6 / 0 | |
| 0.1.5 | 6 / 0 |
v0.16.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.39
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.38
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.37
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.35
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.30
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.30
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.6
2 findingsPackage contains compiled binaries that could be backdoors: • test/app4/lib/binding/app4.node • test/app4/lib/binding/lib.target/mylib.so
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.