nw-gyp
NW.js (node-webkit) native addon build tool
9
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
rogerwang
Keywords
nativeaddonmodulecc++bindingsgyp
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): path-array is a legitimate, established package for PATH management; consistent with nw-gyp's role as a native build tool. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): nw-gyp is a native addon build tool; invoking child_process to run gyp/make/msbuild is core functionality, not malicious. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): Spawning system processes is required for a native build tool; this is expected and documented behavior. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is used for command dispatch within the package's own directory (configure, build, clean, etc.); not loading arbitrary external modules. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Reading npm_config_* env vars is the standard npm build tool pattern for inheriting npm configuration; benign and expected. | ai | |
| dependencies | unvetted-dep:request | AI (dependencies): request@2 is used to download NW.js headers/binaries; well-known library, expected usage for a build tool. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 3.6.4 | 13 / 4 | |
| 3.6.2 | 13 / 4 | |
| 3.4.0 | 14 / 4 | |
| 0.13.0 | 13 / 0 | |
| 0.12.4 | 13 / 0 | |
| 0.12.3 | 13 / 0 | |
| 0.12.2 | 13 / 0 | |
| 0.10.9 | 13 / 0 | |
| 0.7.3 | 13 / 0 |
v3.6.4
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.