put
Pack multibyte binary values into buffers
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| typosquat | typosquat.levenshtein:nuxt | AI (typosquat): put is a 15+ year old legitimate package by substack; short name coincidentally close to nuxt but no impersonation intent. | ai | |
| typosquat | typosquat.levenshtein:got | AI (typosquat): put is a 15+ year old legitimate package; 3-letter name proximity to got is coincidental, not a typosquat. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): put is a 15+ year old legitimate package; 3-letter name proximity to pg is coincidental, not a typosquat. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): put is a 15+ year old legitimate package; 3-letter name proximity to yup is coincidental, not a typosquat. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): Binaries are in test/c/ directory (ftoi, itof) — test fixtures for a binary packing library, not production backdoors. Stable for this package. | ai | |
| osv | osv:GHSA-v6gv-fg46-h89j | AI (osv): Vulnerability only affects Node.js <=6.x (EOL since 2019). No fix exists or is needed for modern Node.js. Low severity and no reachable exploit path on supported runtimes. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 0.0.6 | 0 / 0 | |
| 0.0.5 | 0 / 0 | |
| 0.0.4 | 0 / 0 | |
| 0.0.3 | 0 / 0 | |
| 0.0.1 | 0 / 0 |
v0.0.6
3 findingsPackage contains compiled binaries that could be backdoors: • test/c/ftoi • test/c/itof
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
All versions of `put` are vulnerable to Uninitialized Memory Exposure. The package incorrectly calculates the allocated Buffer size and does not trim the bytes written, which may allow attackers to access uninitialized memory containing sensitive data. This vulnerability only affects versions of Node.js <=6.x. ## Recommendation Upgrade your Node.js version or consider using an alternative package.
v0.0.5
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] All versions of `put` are vulnerable to Uninitialized Memory Exposure. The package incorrectly calculates the allocated Buffer size and does not trim the bytes written, which may allow attackers to access uninitialized memory containing sensitive data. This vulnerability only affects versions of Node.js <=6.x. ## Recommendation Upgrade your Node.js version or consider using an alternative package.
v0.0.4
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] All versions of `put` are vulnerable to Uninitialized Memory Exposure. The package incorrectly calculates the allocated Buffer size and does not trim the bytes written, which may allow attackers to access uninitialized memory containing sensitive data. This vulnerability only affects versions of Node.js <=6.x. ## Recommendation Upgrade your Node.js version or consider using an alternative package.
v0.0.3
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
[Accepted risk] All versions of `put` are vulnerable to Uninitialized Memory Exposure. The package incorrectly calculates the allocated Buffer size and does not trim the bytes written, which may allow attackers to access uninitialized memory containing sensitive data. This vulnerability only affects versions of Node.js <=6.x. ## Recommendation Upgrade your Node.js version or consider using an alternative package.
v0.0.1
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
[Accepted risk] All versions of `put` are vulnerable to Uninitialized Memory Exposure. The package incorrectly calculates the allocated Buffer size and does not trim the bytes written, which may allow attackers to access uninitialized memory containing sensitive data. This vulnerability only affects versions of Node.js <=6.x. ## Recommendation Upgrade your Node.js version or consider using an alternative package.