update-notifier-cjs
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:pupa | AI (dependencies): pupa is a well-known Sindre Sorhus string interpolation utility; stable low-risk dependency for this package. | ai | |
| phantom-deps | phantom-dep:got | AI (phantom-deps): Package uses import-lazy for lazy loading; static analysis misses these imports. Expected pattern for this update-notifier CJS port. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): Package uses import-lazy for lazy loading; static analysis misses these imports. Expected pattern for this update-notifier CJS port. | ai | |
| phantom-deps | phantom-dep:registry-url | AI (phantom-deps): Package uses import-lazy for lazy loading; static analysis misses these imports. Expected pattern for this update-notifier CJS port. | ai | |
| phantom-deps | phantom-dep:latest-version | AI (phantom-deps): Package uses import-lazy for lazy loading; static analysis misses these imports. Expected pattern for this update-notifier CJS port. | ai | |
| phantom-deps | phantom-dep:registry-auth-token | AI (phantom-deps): Package uses import-lazy for lazy loading; static analysis misses these imports. Expected pattern for this update-notifier CJS port. | ai | |
| phantom-deps | phantom-dep:semver-diff | AI (phantom-deps): Lazily required via import-lazy; same pattern as upstream update-notifier. | ai | |
| phantom-deps | phantom-dep:xdg-basedir | AI (phantom-deps): Lazily required via import-lazy; same pattern as upstream update-notifier. | ai | |
| phantom-deps | phantom-dep:is-yarn-global | AI (phantom-deps): Lazily required via import-lazy; same pattern as upstream update-notifier. | ai | |
| phantom-deps | phantom-dep:is-installed-globally | AI (phantom-deps): Lazily required via import-lazy; same pattern as upstream update-notifier. | ai | |
| phantom-deps | phantom-dep:boxen | AI (phantom-deps): Lazily required via import-lazy; same pattern as upstream update-notifier. | ai | |
| semgrep | semgrep:silent-process-exec-var | AI (semgrep): Same detached spawn as above — local check.js via process.execPath. Stable false positive for this package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is used only for the documented detached update-check spawn; no arbitrary command execution. | ai | |
| phantom-deps | phantom-dep:pupa | AI (phantom-deps): Deps are lazily required via import-lazy, causing static analysis to miss direct require calls. Known pattern from upstream update-notifier. | ai | |
| semgrep | semgrep:silent-process-exec | AI (semgrep): Detached spawn is the canonical update-notifier pattern: spawns local check.js via process.execPath to run update checks without blocking the CLI. Not malicious. | ai | |
| phantom-deps | phantom-dep:chalk | AI (phantom-deps): Lazily required via import-lazy; same pattern as upstream update-notifier. | ai | |
| phantom-deps | phantom-dep:is-ci | AI (phantom-deps): Lazily required via import-lazy; same pattern as upstream update-notifier. | ai | |
| phantom-deps | phantom-dep:is-npm | AI (phantom-deps): Lazily required via import-lazy; same pattern as upstream update-notifier. | ai | |
| phantom-deps | phantom-dep:has-yarn | AI (phantom-deps): Lazily required via import-lazy; same pattern as upstream update-notifier. | ai | |
| phantom-deps | phantom-dep:configstore | AI (phantom-deps): Lazily required via import-lazy; same pattern as upstream update-notifier. | ai |
Versions (showing 7 of 7)
| Version | Deps | Published |
|---|---|---|
| 5.1.7 | 16 / 5 | |
| 5.1.6 | 16 / 5 | |
| 5.1.5 | 16 / 5 | |
| 5.1.4 | 16 / 5 | |
| 5.1.3 | 16 / 5 | |
| 5.1.2 | 17 / 5 | |
| 5.1.1 | 17 / 5 |
v5.1.7
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ryanblock/update-notifier-cjs/blob/540641a57fcc929895c08f09ddede0a5dffe0738/index.js#L98 96 | 97 | // Spawn a detached process, passing the options as an environment property > 98 | spawn(process.execPath, [path.join(__dirname, 'check.js'), JSON.stringify(this.options)], { 99 | detached: true, 100 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ryanblock/update-notifier-cjs/blob/540641a57fcc929895c08f09ddede0a5dffe0738/index.js#L98 96 | 97 | // Spawn a detached process, passing the options as an environment property > 98 | spawn(process.execPath, [path.join(__dirname, 'check.js'), JSON.stringify(this.options)], { 99 | detached: true, 100 | stdio: 'ignore'
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.1.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.