← Home

readable-stream

npm Repository Homepage

Node.js Streams, a user-land copy of the stream library from Node.js

51
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

cwmmamatteo.collinanodejs-foundation

Keywords

readablestreampipe

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
maintainer-change maintainer-removed AI (maintainer-change): Removal of isaacs/tootallnate is part of the documented legitimate maintainer transition to rvagg. ai
maintainer-change maintainer-takeover AI (maintainer-change): rvagg (Rod Vagg) is a well-known Node.js TSC member who legitimately took over readable-stream maintenance from isaacs circa 2014. ai
source-diff source-size-dropped AI (source-diff): Size drop is due to extracting utilities (core-util-is, string_decoder) into separate deps — normal modularization. ai
phantom-deps phantom-dep:unreachable-branch-transform AI (phantom-deps): Correctly identified as referenced only in browserify config, not directly imported. This is the intended usage pattern for a Browserify transform. ai
dependencies unvetted-dep:unreachable-branch-transform AI (dependencies): Build-time Browserify transform; not a runtime dependency. Legitimate for streams polyfill. ai
phantom-deps phantom-dep:inline-process-browser AI (phantom-deps): Correctly identified as referenced only in browserify config, not directly imported. This is the intended usage pattern for a Browserify transform. ai
dependencies unvetted-dep:inline-process-browser AI (dependencies): Build-time Browserify transform; not a runtime dependency. Legitimate for streams polyfill. ai
dependencies unvetted-dep:string_decoder AI (dependencies): string_decoder is a Node.js core module polyfill and a well-known, legitimate dependency for readable-stream; stable across all versions of this package. ai
license uncommon-license:BSD AI (license): BSD is a standard permissive license widely used in the Node.js ecosystem; no legal risk for this package. ai
provenance publisher-changed AI (provenance): Legitimate maintainer transition for canonical Node.js streams polyfill; repository confirms official status. ai
publish-pattern new-deps-added AI (publish-pattern): safe-buffer replaced buffer-shims; both are well-known Node.js ecosystem packages. Dependency swap, not suspicious addition. ai
maintainer-change maintainer-added AI (maintainer-change): Legitimate handoff of canonical Node.js streams polyfill to active maintainers (isaacs, tootallnate). ai
dependencies unvetted-dep:buffer-shims AI (dependencies): buffer-shims is a small, focused utility for Node.js stream polyfills; stable dependency for readable-stream. ai
provenance no-provenance AI (provenance): Package predates Sigstore provenance by many years; absence of attestation is expected and not a risk signal here. ai

Versions (showing 51 of 89)

View all versions
Version Deps Published
4.7.0 5 / 28
4.6.0 5 / 27
4.5.2 5 / 27
4.5.1 5 / 27
4.5.0 5 / 27
4.4.2 5 / 27
4.4.1 4 / 27
4.4.0 4 / 27
4.3.0 4 / 27
4.2.0 4 / 27
4.1.0 1 / 29
4.0.0 1 / 29
3.6.2 3 / 20
3.6.1 3 / 20
3.6.0 3 / 20
3.5.0 3 / 20
3.4.0 3 / 19
3.3.0 3 / 19
3.2.0 3 / 19
3.1.1 3 / 19
3.1.0 3 / 33
3.0.6 3 / 33
3.0.5 3 / 33
3.0.4 3 / 33
3.0.3 3 / 33
3.0.2 3 / 33
3.0.1 3 / 33
3.0.0 4 / 33
2.3.8 7 / 7
2.3.7 7 / 7
2.3.6 7 / 7
2.3.5 7 / 8
2.3.4 7 / 7
2.3.3 7 / 7
2.3.2 7 / 7
2.3.1 7 / 7
2.3.0 7 / 7
2.2.11 7 / 7
2.2.10 7 / 7
2.2.9 7 / 7
2.2.8 7 / 7
2.2.7 7 / 7
2.2.6 7 / 7
2.2.5 7 / 7
2.2.4 7 / 7
2.2.3 7 / 7
2.2.2 7 / 7
2.2.1 7 / 7
2.2.0 7 / 7
2.1.5 7 / 6
2.1.4 7 / 6