punycode
A robust Punycode converter that fully complies to RFC 3492 and RFC 5891, and works on nearly all JavaScript platforms.
19
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
mathiasgoogle-wombot
Keywords
punycodeunicodeidnidnadnsurldomain
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-takeover | AI (maintainer-change): Mathias Bynens (original author) reclaimed the package; google-wombot is Google's known publishing bot. This is a legitimate transfer, not a hostile takeover. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change to google-wombot reflects Google's publishing infrastructure used by the original author Mathias Bynens; consistent with legitimate ownership. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): mathias and google-wombot are the original author and Google's publishing bot respectively; addition is legitimate. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): wizard was replaced by the original author mathias; removal is part of a legitimate ownership consolidation. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Mature, stable library; infrequent releases are expected. No malicious indicators accompany the dormancy gap. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Package is a legitimate ~14-year-old early npm package; sparse metadata and minimal entry point are characteristic of the era, not spam indicators. | ai |