node
node
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): This is a legitimate, long-standing Node.js binary wrapper. Tiny payload and minimal description are by design; isaacs spam flag is a false positive for this established package. | ai | |
| typosquat | typosquat.levenshtein:zod | AI (typosquat): 'node' is a long-established (~5000 days) Node.js binary wrapper package with no relation to 'zod'; the Levenshtein match is a false positive that generalizes across all versions. | ai | |
| install-scripts | install-script:preinstall | AI (install-scripts): Preinstall is the documented, stable mechanism for node-bin-gen to select the correct arch-specific Node.js binary. Present across hundreds of versions; not a risk signal for this package. | ai |
Versions (showing 100 of 758)
| Version | Deps | Published |
|---|---|---|
| 26.2.0 | 1 / 0 | |
| 26.1.0 | 1 / 0 | |
| 26.0.0 | 1 / 0 | |
| 25.8.1 | 1 / 0 | |
| 25.8.0 | 1 / 0 | |
| 25.7.0 | 1 / 0 | |
| 25.6.0 | 1 / 0 | |
| 25.5.0 | 1 / 0 | |
| 25.2.1 | 1 / 0 | |
| 25.1.0 | 1 / 0 | |
| 24.16.0 | 1 / 0 | |
| 24.14.1 | 1 / 0 | |
| 24.13.1 | 1 / 0 | |
| 24.13.0 | 1 / 0 | |
| 24.11.1 | 1 / 0 | |
| 24.11.0 | 1 / 0 | |
| 24.9.0 | 1 / 0 | |
| 24.8.0 | 1 / 0 | |
| 24.6.0 | 1 / 0 | |
| 24.4.1 | 1 / 0 | |
| 24.4.0 | 1 / 0 | |
| 24.3.0 | 1 / 0 | |
| 24.2.0 | 1 / 0 | |
| 24.1.0 | 1 / 0 | |
| 24.0.2 | 1 / 0 | |
| 24.0.0 | 1 / 0 | |
| 23.11.1 | 1 / 0 | |
| 23.10.0 | 1 / 0 | |
| 23.6.1 | 1 / 0 | |
| 23.4.0 | 1 / 0 | |
| 23.3.0 | 1 / 0 | |
| 23.1.0 | 1 / 0 | |
| 22.22.3 | 1 / 0 | |
| 22.22.1 | 1 / 0 | |
| 22.22.0 | 1 / 0 | |
| 22.19.0 | 1 / 0 | |
| 22.18.0 | 1 / 0 | |
| 22.17.1 | 1 / 0 | |
| 22.17.0 | 1 / 0 | |
| 22.15.1 | 1 / 0 | |
| 22.15.0 | 1 / 0 | |
| 22.12.0 | 1 / 0 | |
| 22.10.0 | 1 / 0 | |
| 22.5.1 | 1 / 0 | |
| 22.4.1 | 1 / 0 | |
| 22.0.0 | 1 / 0 | |
| 21.7.3 | 1 / 0 | |
| 21.7.2 | 1 / 0 | |
| 21.7.1 | 1 / 0 | |
| 21.7.0 | 1 / 0 | |
| 21.6.2 | 1 / 0 | |
| 21.6.1 | 1 / 0 | |
| 21.6.0 | 1 / 0 | |
| 21.5.0 | 1 / 0 | |
| 21.4.0 | 1 / 0 | |
| 21.3.0 | 1 / 0 | |
| 21.2.0 | 1 / 0 | |
| 21.1.0 | 1 / 0 | |
| 21.0.0 | 1 / 0 | |
| 20.20.2 | 1 / 0 | |
| 20.20.1 | 1 / 0 | |
| 20.20.0 | 1 / 0 | |
| 20.19.5 | 1 / 0 | |
| 20.19.2 | 1 / 0 | |
| 20.18.2 | 1 / 0 | |
| 20.16.0 | 1 / 0 | |
| 20.15.0 | 1 / 0 | |
| 20.12.2 | 1 / 0 | |
| 20.12.1 | 1 / 0 | |
| 20.12.0 | 1 / 0 | |
| 20.11.1 | 1 / 0 | |
| 20.11.0 | 1 / 0 | |
| 20.10.0 | 1 / 0 | |
| 20.9.0 | 1 / 0 | |
| 20.8.1 | 1 / 0 | |
| 20.8.0 | 1 / 0 | |
| 20.7.0 | 1 / 0 | |
| 20.6.1 | 1 / 0 | |
| 20.6.0 | 1 / 0 | |
| 20.5.1 | 1 / 0 | |
| 20.5.0 | 1 / 0 | |
| 20.4.0 | 1 / 0 | |
| 20.3.1 | 1 / 0 | |
| 20.3.0 | 1 / 0 | |
| 20.2.0 | 1 / 0 | |
| 20.1.0 | 1 / 0 | |
| 20.0.0 | 1 / 0 | |
| 19.8.1 | 1 / 0 | |
| 19.8.0 | 1 / 0 | |
| 19.7.0 | 1 / 0 | |
| 19.6.1 | 1 / 0 | |
| 19.6.0 | 1 / 0 | |
| 19.5.0 | 1 / 0 | |
| 19.4.0 | 1 / 0 | |
| 19.3.0 | 1 / 0 | |
| 19.2.0 | 1 / 0 | |
| 19.1.0 | 1 / 0 | |
| 19.0.1 | 1 / 0 | |
| 19.0.0 | 1 / 0 | |
| 18.20.8 | 1 / 0 |
v26.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v25.8.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v25.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v25.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v25.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v25.5.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v25.2.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v25.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.16.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.14.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.13.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.13.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.11.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.11.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v23.11.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v23.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v23.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v23.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v23.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v23.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.22.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v22.22.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v22.22.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v22.19.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.18.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.17.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.17.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.15.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.10.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v22.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.4.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v22.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v20.20.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v20.20.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v20.20.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v20.19.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.19.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.18.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.16.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v20.15.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v18.20.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.