piscina MIT 39 versions

piscina

npm Repository Homepage

A fast, efficient Node.js Worker Thread Pool implementation

39

Versions

MIT

License

No

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

metcoder95matteo.collinajasnellqardaddaleaxrafaelgss

Keywords

fastworker threadsthread poolwade wilson

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers (rafaelgss, qard, metcoder95) are known Node.js ecosystem contributors; this is a legitimate org-level maintainer expansion, not a takeover.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): rafaelgss is a known Node.js core contributor with strong track record; the piscinajs org maintainer transition is publicly documented and legitimate.	ai	2026/04/22
semgrep	semgrep:eval-usage	AI (semgrep): eval() wraps a static string literal to prevent TS/CJS compiler from transforming dynamic import(). This is a standard, safe workaround for ESM interop in CommonJS — not user-controlled input.	ai	2026/04/22
dependencies	unvetted-dep:nice-napi	AI (dependencies): nice-napi is an optional dependency for thread priority management, well-known in the Node.js native addon ecosystem and appropriate for a worker pool library.	ai	2026/04/22
dependencies	unvetted-dep:eventemitter-asyncresource	AI (dependencies): eventemitter-asyncresource is a standard Node.js async context tracking utility, appropriate for a worker thread pool implementation.	ai	2026/04/22
dependencies	unvetted-dep:hdr-histogram-percentiles-obj	AI (dependencies): hdr-histogram-percentiles-obj is a utility for HDR histogram metrics, appropriate for piscina's performance monitoring features.	ai	2026/04/22
semgrep	semgrep:new-function-constructor	AI (semgrep): new Function used solely to wrap dynamic import() for CJS/ESM interop — a standard, safe pattern in the Node.js ecosystem.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Established package with clean history; lack of Sigstore provenance is common and not a risk signal here.	ai	2026/04/22

Versions (showing 39 of 39)

Version	Deps	Published
5.1.4	0 / 10	2025-11-07
5.1.3	0 / 10	2025-07-09
5.1.2	0 / 11	2025-06-26
5.1.1	0 / 11	2025-06-19
5.1.0	0 / 11	2025-06-15
5.0.0	0 / 11	2025-05-02
4.9.2	0 / 13	2025-03-18
4.9.1	0 / 13	2025-03-18
4.9.0	0 / 13	2025-03-16
4.8.0	0 / 13	2024-12-04
4.7.0	0 / 13	2024-09-18
4.6.1	0 / 13	2024-06-26
4.6.0	0 / 13	2024-06-18
4.5.1	0 / 13	2024-05-22
4.5.0	0 / 13	2024-05-20
4.4.0	0 / 11	2024-02-28
4.3.2	0 / 11	2024-02-16
4.3.1	0 / 11	2024-01-30
4.3.0	0 / 11	2024-01-16
4.2.1	3 / 11	2023-12-13
4.2.0	3 / 11	2023-11-19
4.1.0	4 / 11	2023-08-01
4.0.0	4 / 11	2023-06-14
3.2.0	4 / 11	2021-12-10
3.1.0	4 / 11	2021-05-17
3.0.0	4 / 11	2021-04-30
2.2.0	4 / 10	2021-02-23
2.1.0	4 / 10	2020-12-02
2.0.0	4 / 10	2020-11-25
1.6.3	4 / 10	2020-07-09
1.6.2	4 / 10	2020-06-01
1.6.1	4 / 10	2020-05-27
1.6.0	4 / 10	2020-05-22
1.5.1	3 / 10	2020-05-21
1.5.0	3 / 9	2020-05-16
1.4.0	3 / 9	2020-05-12
1.3.0	3 / 9	2020-05-09
1.1.0	2 / 8	2020-05-01
1.0.0	2 / 8	2020-05-01

v4.2.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.2.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.1.0

2 findings

HIGH Publisher changed: rafaelgss → metcoder95 (on 2023-08-01) provenance

This version was published by a different npm account than previous versions on 2023-08-01. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.0

2 findings

HIGH Publisher changed: jasnell → rafaelgss (on 2023-06-14) provenance

This version was published by a different npm account than previous versions on 2023-06-14. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.5.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.5.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.3.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.