phantomjs-prebuilt — Greenflagged

Headless WebKit with JS API

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

medium

Keywords

phantomjsheadlesswebkit

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): es6-promise is a well-known, benign Promise polyfill with no malicious history; not a meaningful attack vector for this package.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers dpup and medium are Dan Pupius and Medium org — directly tied to the package's own GitHub repo and author field. Legitimate organizational addition, not a suspicious takeover.	ai	2026/04/24
source-diff	source-size-tripled	AI (source-diff): 88x size increase is fully explained by bundling request and its transitive dependencies directly into the tarball. No obfuscation or malicious payload present.	ai	2026/04/24
source-diff	large-new-source-files	AI (source-diff): Size increase is due to vendored/bundled runtime dependencies (request and transitive deps), a known pattern for phantomjs-prebuilt. Not injected malicious code.	ai	2026/04/24
dependencies	unvetted-dep:request	AI (dependencies): request is a well-known HTTP client used to download prebuilt binaries; appropriate for this package's age and purpose.	ai	2026/04/24
install-scripts	install-script:install	AI (install-scripts): phantomjs-prebuilt's install script downloads prebuilt PhantomJS binaries; this is the package's documented and expected install flow.	ai	2026/04/23
provenance	no-provenance	AI (provenance): Legacy package predates Sigstore provenance; not a risk signal for established packages.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require loads platform-specific config by path in lib/util.js; standard pattern for this package.	ai	2026/04/23
semgrep	semgrep:child-process-import	AI (semgrep): child_process is used in install.js to verify the downloaded PhantomJS binary; standard for prebuilt binary packages.	ai	2026/04/23

Versions (showing 4 of 4)

Version	Deps	Published
2.1.10	9 / 3	2016-08-03
2.1.9	8 / 2	2016-07-29
2.1.7	8 / 2	2016-03-25
2.1.4	8 / 2	2016-02-06

v2.1.10

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.9

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.7

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.