← Home

web-streams-polyfill

npm Repository Homepage

Web Streams, based on the WHATWG spec reference implementation

35
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

diwankwhiterabbit1983mattiasbuelens

Keywords

streamswhatwgpolyfill

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Moved to GitHub Actions CI/CD publishing with SLSA provenance; legitimate automation transition. ai
publish-pattern dormant-publish AI (publish-pattern): Mature stable polyfill; infrequent releases are normal for this package. ai
source-diff obfuscated-file:dist/polyfill.es5.js AI (source-diff): This is a standard minified ES5 build artifact produced by rollup+terser. The file contains a proper license header and implements Web Streams API primitives with no malicious code. Expected for this package. ai
source-diff obfuscated-file:dist/ponyfill.es5.js AI (source-diff): Standard minified ES5 build artifact from rollup+terser. Contains MIT license header and legitimate Web Streams polyfill code. Expected for this package. ai
source-diff obfuscated-file:dist/ponyfill.es5.mjs AI (source-diff): Standard minified ES5 ESM build artifact from rollup+terser. Contains MIT license header and legitimate Web Streams polyfill code. Expected for this package. ai
source-diff source-size-dropped AI (source-diff): Size drop from 2MB to 419KB is explained by v4 restructuring: package now ships only dist/ and types/ (per files field), removing the large test suite and source tree that were included in v3. ai

Versions (showing 35 of 35)

Version Deps Published
4.3.0 0 / 20
4.2.0 0 / 21
4.1.0 0 / 21
4.0.0 0 / 20
3.3.3 0 / 22
3.3.2 0 / 22
3.3.1 0 / 22
3.3.0 0 / 20
3.2.1 0 / 18
3.2.0 0 / 18
3.1.1 0 / 18
3.1.0 0 / 18
3.0.3 0 / 18
3.0.2 0 / 18
3.0.1 0 / 18
3.0.0 0 / 18
2.1.1 0 / 17
2.1.0 0 / 17
2.0.6 0 / 16
2.0.5 0 / 16
2.0.4 0 / 14
2.0.3 0 / 12
2.0.2 0 / 10
2.0.1 0 / 10
2.0.0 0 / 10
1.3.2 0 / 12
1.3.1 0 / 12
1.3.0 0 / 7
1.2.2 0 / 7
1.2.1 0 / 7
1.2.0 0 / 6
1.1.1 0 / 6
1.1.0 0 / 6
1.0.1 0 / 6
1.0.0 0 / 6

v4.3.0

2 findings
HIGH Publisher changed: mattiasbuelens → GitHub Actions (on 2026-05-15) provenance

This version was published by a different npm account than previous versions on 2026-05-15. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0

4 findings
HIGH New obfuscated file: dist/polyfill.es5.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/ponyfill.es5.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/ponyfill.es5.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.3.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.3.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.