optipng-stream-bin — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ameyp

Keywords

compressimageimgminifyoptimizepngstream

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:tmp	AI (phantom-deps): tmp is a direct runtime dependency used by the package's core streaming functionality; not a phantom dependency.	ai	2026/04/24
phantom-deps	phantom-dep:optipng-bin	AI (phantom-deps): optipng-bin is the core dependency this wrapper package depends on; not a phantom dependency.	ai	2026/04/24
phantom-deps	phantom-dep:concat-stream	AI (phantom-deps): concat-stream is a direct runtime dependency used for streaming PNG data; not a phantom dependency.	ai	2026/04/24
semgrep	semgrep:child-process-import	AI (semgrep): This package's core purpose is to spawn the optipng binary via child_process.spawn. The usage is transparent, expected, and stable across all versions.	ai	2026/04/24

Versions (showing 7 of 7)

Version	Deps	Published
0.0.7	5 / 1	2014-03-31
0.0.6	5 / 1	2014-03-31
0.0.5	4 / 3	2014-03-02
0.0.4	4 / 3	2014-03-02
0.0.3	3 / 3	2014-02-28
0.0.2	3 / 3	2014-02-28
0.0.1	3 / 3	2014-02-28