rollup-plugin-node-builtins

use node builtins in browser with rollup

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

cwmma

Keywords

rollup-plugin

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:src/es6/setimmediate.js	AI (source-diff): This is the YuzuJS/setImmediate MIT-licensed browser polyfill. new Function() is the spec-compliant string-callback path; no actual network exfiltration present.	ai	2026/04/24
source-diff	net-exec-file:src/es6/vm.js	AI (source-diff): This is the substack/vm-browserify MIT-licensed shim. new Function() is inherent to implementing vm.runInNewContext() in browsers; no malicious network activity.	ai	2026/04/24
semgrep	semgrep:new-function-constructor	AI (semgrep): new Function() in setimmediate.js is a standard pattern in the setimmediate polyfill for handling string callbacks per spec; not a malicious code execution vector for this package.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): browserify-fs is a legitimate Node.js fs shim; adding it is consistent with this package's purpose of polyfilling Node builtins for browser use.	ai	2026/04/24

Versions (showing 15 of 15)

Version	Deps	Published
2.1.2	4 / 7	2017-05-10
2.1.1	4 / 7	2017-05-03
2.1.0	4 / 7	2017-02-21
2.0.0	3 / 7	2016-10-04
1.2.1	3 / 7	2016-09-30
1.2.0	3 / 6	2016-09-23
1.1.0	3 / 6	2016-09-16
1.0.8	4 / 9	2016-09-09
1.0.7	4 / 7	2016-07-25
1.0.6	3 / 8	2016-07-20
1.0.5	3 / 8	2016-07-20
1.0.3	5 / 6	2016-03-29
1.0.2	5 / 6	2016-03-29
1.0.1	5 / 6	2016-03-17
1.0.0	1 / 7	2016-03-10

v2.1.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.1

3 findings

HIGH New file with network + code execution: src/es6/setimmediate.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: src/es6/vm.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.0

3 findings

HIGH New file with network + code execution: src/es6/setimmediate.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: src/es6/vm.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.