node-zopfli — Greenflagged

Bindings for Zopfli compressing lib. Compress gzip files 5% better than gzip.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

pierre.inglebert

Keywords

zopflizlibcompressgzipdeflate

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): nan is the canonical native addon abstraction library; its addition is expected and appropriate for a node-gyp-based native binding like node-zopfli.	ai	2026/04/24
phantom-deps	phantom-dep:async	AI (phantom-deps): async is used in CLI/utility scripts, not directly required in the main module — benign for this package.	ai	2026/04/24
phantom-deps	phantom-dep:nan	AI (phantom-deps): nan is a native addon build dependency used in C++ source/binding.gyp, not imported in JS. This is the correct usage pattern for NAN-based native addons.	ai	2026/04/24
source-diff	source-size-tripled	AI (source-diff): Size increase is due to committed lcov coverage report artifacts (HTML/CSS/JS), not injected payloads. Stable pattern for this package.	ai	2026/04/24
source-diff	obfuscated-file:coverage/lcov-report/prettify.js	AI (source-diff): This is the canonical Google Code Prettify minified JS, a standard artifact included in Istanbul/lcov HTML coverage reports. Not malicious.	ai	2026/04/24
semgrep	semgrep:dynamic-require	AI (semgrep): The dynamic require() loads the node-pre-gyp resolved binary path — standard pattern for native addon packages. Not arbitrary module loading.	ai	2026/04/24
npm-metadata	bundled-binaries	AI (npm-metadata): node-zopfli is a native addon that legitimately ships prebuilt .node binaries for multiple Node.js ABI/platform/arch combinations via node-pre-gyp. This is the documented and expected distribution pattern.	ai	2026/04/24
install-scripts	install-script:install	AI (install-scripts): node-zopfli is a native addon; prebuild-install \|\| node-gyp rebuild is the standard documented install flow for fetching/building native binaries. Stable for this package.	ai	2026/04/23
phantom-deps	phantom-dep:commander	AI (phantom-deps): commander is used by the CLI binaries (bin/zopfli, bin/zopflipng) which are separate entry points, not the main JS module. Legitimate usage pattern.	ai	2026/04/23
phantom-deps	phantom-dep:node-addon-api	AI (phantom-deps): node-addon-api is referenced in binding.gyp for native addon compilation, not imported in JS. Standard for N-API native addons.	ai	2026/04/23
phantom-deps	phantom-dep:prebuild-install	AI (phantom-deps): prebuild-install is used as a runtime binary installer invoked from the install script, not imported in JS. Expected for native addon packages.	ai	2026/04/23

Versions (showing 15 of 15)

Version	Deps	Published
2.1.4	4 / 12	2020-09-16
2.1.3	4 / 12	2019-10-19
2.0.3	4 / 8	2019-04-25
2.0.2	4 / 8	2016-11-10
2.0.0	4 / 8	2016-07-20
1.4.0	5 / 8	2015-09-08
1.2.4	5 / 8	2015-03-22
1.2.2	7 / 7	2015-03-18
1.1.6	6 / 7	2014-06-14
1.1.2	6 / 6	2014-04-25
1.1.0	6 / 6	2014-03-25
1.0.3	6 / 6	2014-01-02
0.1.2	4 / 2	2013-07-25
0.1.1	4 / 2	2013-07-23
0.1.0	4 / 2	2013-07-23

v2.1.4

2 findings

HIGH Package has 'install' script install-scripts

Script: prebuild-install --runtime napi || prebuild-install || node-gyp rebuild

LOW No provenance attestation provenance