tar-stream
tar-stream is a streaming tar parser and generator and nothing else. It operates purely using streams which means you can easily extract/parse tarballs without ever hitting the file system.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): maxogden is a trusted, long-standing npm publisher (2510 approved packages). Addition in 2015 alongside original author mafintosh is a legitimate maintainer transition. | ai | |
| provenance | publisher-changed | AI (provenance): The 2015 publisher change from mafintosh to maxogden is a documented, legitimate co-maintainer arrangement between two well-known ecosystem contributors. Stable historical fact for this package. | ai | |
| dependencies | unvetted-dep:fs-constants | AI (dependencies): fs-constants is a legitimate cross-platform filesystem constants utility by the same author (mafintosh); its use in a tar library for file mode handling is expected and benign. | ai | |
| dependencies | unvetted-dep:b4a | AI (dependencies): b4a is a legitimate utility package by the same publisher (mafintosh); part of his well-known streaming ecosystem. Not a risk for this package. | ai | |
| dependencies | unvetted-dep:streamx | AI (dependencies): streamx is a core streaming library by the same publisher (mafintosh); widely used and integral to tar-stream's design. Not a risk for this package. | ai | |
| phantom-deps | phantom-dep:bare-fs | AI (phantom-deps): bare-fs is intentionally declared for use in the Bare runtime via the package imports map conditional; it is not directly imported in Node.js but is a legitimate conditional dependency. | ai | |
| provenance | no-provenance | AI (provenance): mafintosh is a long-standing, trusted npm publisher; absence of Sigstore provenance is not a risk signal for this package. | ai |
Versions (showing 66 of 66)
| Version | Deps | Published |
|---|---|---|
| 3.2.0 | 4 / 3 | |
| 3.1.9 | 4 / 3 | |
| 3.1.8 | 4 / 3 | |
| 3.1.7 | 3 / 3 | |
| 3.1.6 | 3 / 3 | |
| 3.1.5 | 3 / 3 | |
| 3.1.4 | 3 / 3 | |
| 3.1.3 | 2 / 3 | |
| 3.1.2 | 2 / 3 | |
| 3.1.1 | 2 / 3 | |
| 3.1.0 | 2 / 3 | |
| 3.0.0 | 3 / 3 | |
| 2.2.0 | 5 / 3 | |
| 2.1.4 | 5 / 3 | |
| 2.1.3 | 5 / 3 | |
| 2.1.2 | 5 / 3 | |
| 2.1.1 | 5 / 3 | |
| 2.1.0 | 5 / 3 | |
| 2.0.1 | 5 / 3 | |
| 2.0.0 | 5 / 3 | |
| 1.6.2 | 7 / 3 | |
| 1.6.1 | 7 / 3 | |
| 1.6.0 | 7 / 3 | |
| 1.5.7 | 7 / 3 | |
| 1.5.6 | 6 / 3 | |
| 1.5.5 | 4 / 3 | |
| 1.5.4 | 4 / 3 | |
| 1.5.3 | 4 / 3 | |
| 1.5.2 | 4 / 3 | |
| 1.5.1 | 4 / 3 | |
| 1.5.0 | 4 / 3 | |
| 1.4.0 | 4 / 3 | |
| 1.3.2 | 4 / 3 | |
| 1.3.1 | 4 / 3 | |
| 1.3.0 | 4 / 2 | |
| 1.2.2 | 4 / 2 | |
| 1.2.1 | 4 / 2 | |
| 1.2.0 | 4 / 2 | |
| 1.1.5 | 4 / 2 | |
| 1.1.4 | 4 / 2 | |
| 1.1.3 | 4 / 2 | |
| 1.1.2 | 4 / 2 | |
| 1.1.1 | 4 / 2 | |
| 1.0.2 | 4 / 2 | |
| 1.0.0 | 4 / 2 | |
| 0.4.7 | 4 / 2 | |
| 0.4.6 | 4 / 2 | |
| 0.4.5 | 4 / 2 | |
| 0.4.4 | 4 / 2 | |
| 0.4.3 | 4 / 2 | |
| 0.4.2 | 4 / 2 | |
| 0.4.1 | 4 / 2 | |
| 0.4.0 | 3 / 2 | |
| 0.3.3 | 3 / 2 | |
| 0.3.2 | 3 / 2 | |
| 0.3.1 | 3 / 2 | |
| 0.3.0 | 2 / 3 | |
| 0.2.5 | 2 / 3 | |
| 0.2.4 | 2 / 3 | |
| 0.2.3 | 2 / 2 | |
| 0.2.2 | 2 / 2 | |
| 0.2.1 | 2 / 2 | |
| 0.2.0 | 2 / 2 | |
| 0.1.2 | 2 / 0 | |
| 0.1.1 | 2 / 0 | |
| 0.1.0 | 2 / 0 |
v3.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.5
2 findingsThis version was published by a different npm account than previous versions on 2015-05-15. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.