raw-body
Get and validate the raw body of a readable stream.
51
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
bsebasdougwilsonjongleberryljharb
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): iconv-lite is a well-established character encoding library, appropriate for a raw body parsing package adding encoding support. | ai | |
| provenance | publisher-changed | AI (provenance): dougwilson is a well-known Node.js/Express ecosystem maintainer, already listed as a contributor. The 2014 transition from jongleberry is a documented legitimate handoff. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): dougwilson has a strong track record (733 approved packages) and was already a contributor on this package prior to becoming publisher. | ai | |
| provenance | no-provenance | AI (provenance): Established package with clean history; lack of provenance attestation is a process gap, not a security indicator for this package. | ai | |
| dependencies | unvetted-dep:http-errors | AI (dependencies): http-errors is a well-established Node.js ecosystem package and an expected dependency of raw-body; this finding is a stable false positive for this package. | ai |
Versions (showing 51 of 52)
| Version | Deps | Published |
|---|---|---|
| 3.0.2 | 4 / 9 | |
| 3.0.1 | 4 / 12 | |
| 3.0.0 | 4 / 12 | |
| 2.5.3 | 4 / 12 | |
| 2.5.2 | 4 / 12 | |
| 2.5.1 | 4 / 12 | |
| 2.5.0 | 4 / 12 | |
| 2.4.3 | 4 / 12 | |
| 2.4.2 | 4 / 12 | |
| 2.4.1 | 4 / 12 | |
| 2.4.0 | 4 / 12 | |
| 2.3.3 | 4 / 12 | |
| 2.3.2 | 4 / 12 | |
| 2.3.1 | 4 / 12 | |
| 2.3.0 | 4 / 12 | |
| 2.2.0 | 3 / 10 | |
| 2.1.7 | 3 / 9 | |
| 2.1.6 | 3 / 5 | |
| 2.1.5 | 3 / 5 | |
| 2.1.4 | 3 / 5 | |
| 2.1.3 | 3 / 5 | |
| 2.1.2 | 3 / 5 | |
| 2.1.1 | 3 / 5 | |
| 2.1.0 | 2 / 5 | |
| 2.0.2 | 2 / 5 | |
| 2.0.1 | 2 / 5 | |
| 2.0.0 | 2 / 5 | |
| 1.3.4 | 2 / 4 | |
| 1.3.3 | 2 / 4 | |
| 1.3.2 | 2 / 4 | |
| 1.3.1 | 2 / 4 | |
| 1.3.0 | 2 / 4 | |
| 1.2.3 | 2 / 4 | |
| 1.2.2 | 2 / 5 | |
| 1.2.1 | 2 / 5 | |
| 1.2.0 | 2 / 5 | |
| 1.1.7 | 2 / 5 | |
| 1.1.6 | 1 / 7 | |
| 1.1.5 | 1 / 7 | |
| 1.1.4 | 1 / 7 | |
| 1.1.3 | 1 / 7 | |
| 1.1.2 | 1 / 7 | |
| 1.1.1 | 1 / 7 | |
| 1.1.0 | 1 / 7 | |
| 1.0.1 | 1 / 3 | |
| 1.0.0 | 1 / 3 | |
| 0.2.0 | 1 / 3 | |
| 0.1.1 | 1 / 3 | |
| 0.1.0 | 0 / 3 | |
| 0.0.3 | 0 / 1 | |
| 0.0.2 | 0 / 1 |
v1.1.6
2 findings
HIGH
Publisher changed: jongleberry → dougwilson (on 2014-05-27)
provenance
This version was published by a different npm account than previous versions on 2014-05-27. This could indicate a legitimate maintainer transition or an account compromise.
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.