odiff-bin — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

dmtr.kovalenko

Keywords

visual-regressionpixelmatchimagecomparisondiffzig

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
install-scripts	install-script:postinstall	AI (install-scripts): Postinstall selects the correct platform binary from bundled raw_binaries/; stable pattern for this native-binary wrapper.	ai	2026/05/14
npm-metadata	bundled-binaries	AI (npm-metadata): Bundled binaries are the core product (platform-specific odiff executables); expected and documented for this package.	ai	2026/05/14
semgrep	semgrep:child-process-import	AI (semgrep): child_process used to invoke the selected platform binary — core functionality of this CLI wrapper.	ai	2026/05/14

Versions (showing 3 of 3)

Version	Deps	Published
4.3.8	0 / 0	2026-04-16
4.3.5	0 / 0	2026-04-16
4.0.1	0 / 0	2025-10-05

v4.3.8

3 findings

HIGH Package has 'postinstall' script install-scripts

Script: node ./post_install.js

HIGH Bundled binary files (8) npm-metadata

Package contains compiled binaries that could be backdoors: • raw_binaries/odiff-linux-arm64 • raw_binaries/odiff-linux-riscv64 • raw_binaries/odiff-linux-riscv64-rva23 • raw_binaries/odiff-linux-x64 • raw_binaries/odiff-macos-arm64 • raw_binaries/odiff-macos-x64 • raw_binaries/odiff-windows-arm64.exe • raw_binaries/odiff-windows-x64.exe

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.3.5

3 findings

HIGH Package has 'postinstall' script install-scripts

Script: node ./post_install.js

HIGH Bundled binary files (8) npm-metadata

Package contains compiled binaries that could be backdoors: • raw_binaries/odiff-linux-arm64 • raw_binaries/odiff-linux-riscv64 • raw_binaries/odiff-linux-riscv64-rva23 • raw_binaries/odiff-linux-x64 • raw_binaries/odiff-macos-arm64 • raw_binaries/odiff-macos-x64 • raw_binaries/odiff-windows-arm64.exe • raw_binaries/odiff-windows-x64.exe

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.1

3 findings

HIGH Package has 'postinstall' script install-scripts

Script: node ./post_install.js

HIGH Bundled binary files (3) npm-metadata

Package contains compiled binaries that could be backdoors: • raw_binaries/odiff • bin/odiff.exe • raw_binaries/odiff.exe

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.