spdy
Implementation of the SPDY protocol on node.js.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): The publisher change from fedor.indutny to indutny in 2014 is a well-known account consolidation by Fedor Indutny, a prominent Node.js contributor. This is a stable historical fact, not a security risk. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): The indutny maintainer addition in 2014 corresponds to Fedor Indutny's account consolidation. The indutny account is the canonical publisher for this package with a strong track record. | ai | |
| source-diff | net-exec-file:examples/twitlog/public/javascripts/socket.io.min.js | AI (source-diff): This is the legitimate Socket.IO 0.8.4 minified client library bundled in an example app directory, not malware. Copyright header confirms LearnBoost origin. | ai | |
| source-diff | net-exec-file:examples/twitlog/node_modules/jade/jade.js | AI (source-diff): Legitimate Jade template engine bundled as a vendored dependency in the examples/twitlog demo application. Not malicious. | ai | |
| source-diff | net-exec-file:examples/twitlog/node_modules/jade/jade.min.js | AI (source-diff): Minified Jade template engine in example vendored deps. Same as jade.js — legitimate library, not malware. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are vendored dependencies inside examples/twitlog/node_modules/ — a demo app bundled with the package, not injected malicious code. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is entirely due to bundled example app with vendored node_modules (socket.io, jade, etc.). Core library size is unchanged. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process.spawn used in examples/twitlog/autorestart.js for process restart — a standard dev utility pattern, not malicious. | ai | |
| dependencies | unvetted-dep:zlibcontext | AI (dependencies): zlibcontext is a natural zlib binding dependency for the SPDY protocol implementation; stable and expected for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): safe-buffer is a well-known, widely-trusted Buffer shim by Feross; its addition is appropriate for a network protocol library targeting older Node.js versions. | ai | |
| dependencies | unvetted-dep:spdy-transport | AI (dependencies): spdy-transport is the core transport layer of the spdy ecosystem by the same trusted author (indutny); no risk signal. | ai | |
| dependencies | unvetted-dep:handle-thing | AI (dependencies): handle-thing is a companion package in the spdy ecosystem by the same trusted author (indutny); no risk signal. | ai | |
| dependencies | unvetted-dep:http-deceiver | AI (dependencies): http-deceiver is a companion package in the spdy ecosystem by the same trusted author (indutny); no risk signal. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance by many years; no provenance is expected for packages this old. | ai | |
| dependencies | unvetted-dep:select-hose | AI (dependencies): select-hose is a companion package in the spdy ecosystem by the same trusted author (indutny); no risk signal. | ai |
Versions (showing 51 of 194)
| Version | Deps | Published |
|---|---|---|
| 4.0.1 | 5 / 4 | |
| 4.0.0 | 5 / 4 | |
| 3.4.7 | 6 / 4 | |
| 3.4.5 | 5 / 4 | |
| 3.4.4 | 5 / 3 | |
| 3.4.3 | 5 / 3 | |
| 3.4.2 | 5 / 3 | |
| 3.4.1 | 5 / 3 | |
| 3.4.0 | 5 / 3 | |
| 3.3.4 | 5 / 3 | |
| 3.3.3 | 5 / 3 | |
| 3.3.2 | 5 / 3 | |
| 3.3.1 | 5 / 3 | |
| 3.2.4 | 5 / 3 | |
| 3.2.3 | 5 / 3 | |
| 3.2.2 | 5 / 3 | |
| 3.2.1 | 5 / 3 | |
| 3.2.0 | 5 / 3 | |
| 3.1.0 | 5 / 3 | |
| 3.0.1 | 5 / 3 | |
| 3.0.0 | 5 / 3 | |
| 2.1.0 | 5 / 3 | |
| 2.0.5 | 5 / 3 | |
| 2.0.4 | 5 / 3 | |
| 2.0.3 | 5 / 3 | |
| 2.0.2 | 5 / 3 | |
| 2.0.0 | 5 / 3 | |
| 1.32.5 | 0 / 1 | |
| 1.32.4 | 0 / 1 | |
| 1.32.3 | 0 / 1 | |
| 1.32.2 | 0 / 1 | |
| 1.32.1 | 0 / 1 | |
| 1.32.0 | 0 / 1 | |
| 1.31.0 | 0 / 1 | |
| 1.30.2 | 0 / 1 | |
| 1.30.0 | 0 / 1 | |
| 1.29.2 | 0 / 1 | |
| 1.29.1 | 0 / 1 | |
| 1.29.0 | 0 / 1 | |
| 1.28.2 | 0 / 1 | |
| 1.28.1 | 0 / 1 | |
| 1.28.0 | 0 / 1 | |
| 1.27.0 | 0 / 1 | |
| 1.26.5 | 0 / 1 | |
| 1.26.4 | 0 / 1 | |
| 1.26.3 | 0 / 1 | |
| 1.26.2 | 0 / 1 | |
| 1.26.1 | 0 / 1 | |
| 1.26.0 | 0 / 1 | |
| 1.25.6 | 0 / 1 | |
| 1.25.5 | 0 / 1 |
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.32.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.32.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2015-07-20. This could indicate a legitimate maintainer transition or an account compromise.
v1.32.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2015-07-17. This could indicate a legitimate maintainer transition or an account compromise.
v1.32.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2015-07-16. This could indicate a legitimate maintainer transition or an account compromise.
v1.32.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2015-07-16. This could indicate a legitimate maintainer transition or an account compromise.
v1.32.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2015-04-20. This could indicate a legitimate maintainer transition or an account compromise.
v1.31.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2015-03-05. This could indicate a legitimate maintainer transition or an account compromise.
v1.30.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2015-02-24. This could indicate a legitimate maintainer transition or an account compromise.
v1.30.0
2 findingsThis version was published by a different npm account than previous versions on 2015-01-18. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.29.2
2 findingsThis version was published by a different npm account than previous versions on 2014-12-10. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.29.1
2 findingsThis version was published by a different npm account than previous versions on 2014-10-16. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.29.0
2 findingsThis version was published by a different npm account than previous versions on 2014-10-07. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.28.2
2 findingsThis version was published by a different npm account than previous versions on 2014-10-01. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.28.1
2 findingsThis version was published by a different npm account than previous versions on 2014-08-01. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.28.0
2 findingsThis version was published by a different npm account than previous versions on 2014-07-28. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.27.0
2 findingsThis version was published by a different npm account than previous versions on 2014-07-02. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.26.5
2 findingsThis version was published by a different npm account than previous versions on 2014-06-06. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.26.4
2 findingsThis version was published by a different npm account than previous versions on 2014-05-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.26.3
2 findingsThis version was published by a different npm account than previous versions on 2014-05-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.26.2
2 findingsThis version was published by a different npm account than previous versions on 2014-05-22. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.26.1
2 findingsThis version was published by a different npm account than previous versions on 2014-05-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.26.0
2 findingsThis version was published by a different npm account than previous versions on 2014-05-13. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.25.6
2 findingsThis version was published by a different npm account than previous versions on 2014-04-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.25.5
2 findingsThis version was published by a different npm account than previous versions on 2014-04-24. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.