readable-stream MIT 89 versions

readable-stream

npm Repository Homepage

Node.js Streams, a user-land copy of the stream library from Node.js

Versions

MIT

License

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

cwmmamatteo.collinanodejs-foundation

Keywords

readablestreampipe

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of isaacs/tootallnate is part of the documented legitimate maintainer transition to rvagg.	ai	2026/04/21
maintainer-change	maintainer-takeover	AI (maintainer-change): rvagg (Rod Vagg) is a well-known Node.js TSC member who legitimately took over readable-stream maintenance from isaacs circa 2014.	ai	2026/04/21
source-diff	source-size-dropped	AI (source-diff): Size drop is due to extracting utilities (core-util-is, string_decoder) into separate deps — normal modularization.	ai	2026/04/21
phantom-deps	phantom-dep:unreachable-branch-transform	AI (phantom-deps): Correctly identified as referenced only in browserify config, not directly imported. This is the intended usage pattern for a Browserify transform.	ai	2026/04/21
dependencies	unvetted-dep:unreachable-branch-transform	AI (dependencies): Build-time Browserify transform; not a runtime dependency. Legitimate for streams polyfill.	ai	2026/04/21
phantom-deps	phantom-dep:inline-process-browser	AI (phantom-deps): Correctly identified as referenced only in browserify config, not directly imported. This is the intended usage pattern for a Browserify transform.	ai	2026/04/21
dependencies	unvetted-dep:inline-process-browser	AI (dependencies): Build-time Browserify transform; not a runtime dependency. Legitimate for streams polyfill.	ai	2026/04/21
dependencies	unvetted-dep:string_decoder	AI (dependencies): string_decoder is a Node.js core module polyfill and a well-known, legitimate dependency for readable-stream; stable across all versions of this package.	ai	2026/04/21
license	uncommon-license:BSD	AI (license): BSD is a standard permissive license widely used in the Node.js ecosystem; no legal risk for this package.	ai	2026/04/21
provenance	publisher-changed	AI (provenance): Legitimate maintainer transition for canonical Node.js streams polyfill; repository confirms official status.	ai	2026/04/21
publish-pattern	new-deps-added	AI (publish-pattern): safe-buffer replaced buffer-shims; both are well-known Node.js ecosystem packages. Dependency swap, not suspicious addition.	ai	2026/04/21
maintainer-change	maintainer-added	AI (maintainer-change): Legitimate handoff of canonical Node.js streams polyfill to active maintainers (isaacs, tootallnate).	ai	2026/04/21
dependencies	unvetted-dep:buffer-shims	AI (dependencies): buffer-shims is a small, focused utility for Node.js stream polyfills; stable dependency for readable-stream.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance by many years; absence of attestation is expected and not a risk signal here.	ai	2026/04/21

Versions (showing 89 of 89)

Version	Deps	Published
4.7.0	5 / 28	2025-01-07
4.6.0	5 / 27	2024-12-19
4.5.2	5 / 27	2023-12-27
4.5.1	5 / 27	2023-12-18
4.5.0	5 / 27	2023-12-18
4.4.2	5 / 27	2023-07-03
4.4.1	4 / 27	2023-06-29
4.4.0	4 / 27	2023-05-08
4.3.0	4 / 27	2023-01-01
4.2.0	4 / 27	2022-09-23
4.1.0	1 / 29	2022-07-11
4.0.0	1 / 29	2022-06-14
3.6.2	3 / 20	2023-03-10
3.6.1	3 / 20	2023-02-23
3.6.0	3 / 20	2020-02-13
3.5.0	3 / 20	2020-01-17
3.4.0	3 / 19	2019-05-28
3.3.0	3 / 19	2019-04-01
3.2.0	3 / 19	2019-02-28
3.1.1	3 / 19	2018-12-23
3.1.0	3 / 33	2018-12-16
3.0.6	3 / 33	2018-10-02
3.0.5	3 / 33	2018-10-02
3.0.4	3 / 33	2018-10-01
3.0.3	3 / 33	2018-09-10
3.0.2	3 / 33	2018-08-20
3.0.1	3 / 33	2018-08-13
3.0.0	4 / 33	2018-08-10
2.3.8	7 / 7	2023-02-23
2.3.7	7 / 7	2020-01-05
2.3.6	7 / 7	2018-04-04
2.3.5	7 / 8	2018-03-03
2.3.4	7 / 7	2018-02-09
2.3.3	7 / 7	2017-06-29
2.3.2	7 / 7	2017-06-22
2.3.1	7 / 7	2017-06-21
2.3.0	7 / 7	2017-06-19
2.2.11	7 / 7	2017-06-06
2.2.10	7 / 7	2017-06-02
2.2.9	7 / 7	2017-04-08
2.2.8	7 / 7	2017-04-07
2.2.7	7 / 7	2017-04-07
2.2.6	7 / 7	2017-03-16
2.2.5	7 / 7	2017-03-14
2.2.4	7 / 7	2017-03-14
2.2.3	7 / 7	2017-02-21
2.2.2	7 / 7	2016-11-14
2.2.1	7 / 7	2016-11-10
2.2.0	7 / 7	2016-11-10
2.1.5	7 / 6	2016-08-17
2.1.4	7 / 6	2016-05-19
2.1.2	6 / 4	2016-04-29
2.1.1	6 / 4	2016-04-29
2.1.0	8 / 4	2016-04-13
2.0.6	6 / 3	2016-03-13
2.0.5	6 / 3	2015-12-16
2.0.4	6 / 3	2015-10-31
2.0.3	6 / 3	2015-10-22
2.0.2	6 / 3	2015-07-16
2.0.1	6 / 3	2015-06-22
2.0.0	6 / 1	2015-06-10
1.1.14	4 / 1	2016-04-13
1.1.13	4 / 1	2014-08-20
1.1.12	4 / 1	2014-03-30
1.1.11	3 / 1	2014-02-20
1.1.10	3 / 1	2014-01-09
1.1.9	2 / 1	2013-09-13
1.1.8	2 / 1	2013-08-30
1.1.7	2 / 1	2013-08-26
1.0.34	4 / 1	2016-04-13
1.0.33	4 / 1	2014-10-25
1.0.32	4 / 1	2014-09-22
1.0.31	4 / 1	2014-08-20
1.0.26	1 / 1	2014-02-20
1.0.25	1 / 1	2014-01-23
1.0.24	0 / 1	2014-01-09
1.0.17	0 / 1	2013-08-26
1.0.15	0 / 1	2013-08-02
1.0.2	0 / 1	2013-03-11
1.0.1	0 / 1	2013-03-11
1.0.0	0 / 1	2013-03-09
0.3.1	0 / 1	2013-02-20
0.3.0	0 / 1	2013-02-14
0.2.0	0 / 1	2013-01-11
0.1.0	0 / 1	2012-12-14
0.0.4	0 / 1	2012-12-03
0.0.3	0 / 1	2012-10-15
0.0.2	0 / 1	2012-09-10
0.0.1	0 / 1	2012-07-27