reqwest — Greenflagged

A wrapper for asynchronous http requests

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

dedrvagg

Keywords

enderajaxxhrconnectionweb 2.0asyncsync

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	source-size-tripled	AI (source-diff): Size increase from 11KB to 178KB is explained by addition of legitimate build tool dependencies (uglify-js, jshint, rimraf, gzip, sqwish, asciimo, colors) for this JS packager.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): New deps (uglify-js, jshint, rimraf, gzip, sqwish, asciimo, colors) are all well-known, legitimate build tooling packages consistent with a JS packager tool.	ai	2026/04/22
source-diff	large-new-source-files	AI (source-diff): smoosh is a JS build/packaging tool; large number of source files reflects legitimate build tooling dependencies (uglify-js, jshint, etc.), not injected code.	ai	2026/04/22
email-domain	unclaimed-email:ded	AI (email-domain): Author field uses '@ded' as a social handle (Twitter/GitHub), not a real email address. 'ded' is not a valid TLD; this is a persistent false positive for this package.	ai	2026/04/22
phantom-deps	phantom-dep:valentine	AI (phantom-deps): valentine is used as an Ender.js build/bundle dependency by the same author (Dustin Diaz/@ded), not a direct require(). Expected pattern for this ecosystem.	ai	2026/04/22
npm-metadata	bundled-binaries	AI (npm-metadata): vendor/phantomjs is a well-known headless browser used for testing; explicitly excluded from spm distribution. Not a backdoor risk for this established package.	ai	2026/04/22
semgrep	semgrep:child-process-import	AI (semgrep): child_process is imported in make/tests.js (test/build tooling), not in runtime code. Expected for a build tool package.	ai	2026/04/21
semgrep	semgrep:eval-usage	AI (semgrep): eval() in reqwest.js is a legacy JSON.parse fallback pattern (JSON ? JSON.parse(r) : eval('(' + r + ')')), a well-known safe pattern for old browser compatibility. Not a supply-chain risk.	ai	2026/04/21
typosquat	typosquat.levenshtein:request	AI (typosquat): reqwest is a legitimate, intentionally named browser AJAX library by Dustin Diaz (ded), ~15 years old with 72 versions. Not a typosquat of 'request'.	ai	2026/04/21

Versions (showing 51 of 71)

View all versions

Version	Deps	Published
2.0.5	0 / 8	2015-10-15
2.0.4	0 / 8	2015-09-22
2.0.3	0 / 8	2015-09-02
2.0.2	0 / 8	2015-08-19
2.0.1	0 / 8	2015-07-23
2.0.0	0 / 8	2015-07-17
1.1.6	0 / 8	2015-07-01
1.1.5	0 / 8	2014-11-02
1.1.4	0 / 8	2014-10-10
1.1.3	0 / 8	2014-10-08
1.1.2	0 / 8	2014-07-30
1.1.0	0 / 8	2014-02-24
1.0.2	0 / 8	2014-01-24
1.0.1	0 / 8	2014-01-23
0.9.7	0 / 8	2014-01-01
0.9.6	0 / 8	2013-12-10
0.9.5	0 / 8	2013-12-10
0.9.4	0 / 8	2013-12-10
0.9.3	0 / 8	2013-11-01
0.9.2	0 / 8	2013-11-01
0.9.1	0 / 8	2013-10-21
0.9.0	0 / 7	2013-08-14
0.8.2	0 / 7	2013-06-17
0.8.1	0 / 7	2013-06-03
0.8.0	0 / 7	2013-05-17
0.7.3	0 / 7	2013-05-01
0.7.2	0 / 7	2013-04-22
0.7.1	0 / 7	2013-04-22
0.7.0	0 / 7	2013-04-21
0.6.5	0 / 7	2013-04-21
0.6.4	0 / 6	2013-02-06
0.6.2	0 / 6	2012-12-14
0.6.1	0 / 6	2012-12-12
0.6.0	0 / 6	2012-11-30
0.5.1	0 / 6	2012-11-26
0.5.0	0 / 5	2012-11-12
0.4.5	0 / 5	2012-05-04
0.4.3	0 / 5	2012-02-29
0.4.2	0 / 5	2012-02-07
0.4.1	0 / 5	2012-01-13
0.4.0	0 / 5	2012-01-05
0.3.3	0 / 6	2011-10-29
0.3.2	0 / 6	2011-10-17
0.3.1	0 / 6	2011-09-26
0.3.0	0 / 6	2011-09-13
0.2.8	0 / 6	2011-09-12
0.2.7	0 / 6	2011-09-01
0.2.5	0 / 6	2011-09-01
0.2.4	0 / 5	2011-08-30
0.2.3	0 / 5	2011-08-25
0.2.2	0 / 5	2011-08-23