wtf8
A Node.JS UTF-8 encoder and decoder which is able to handle characters outside Basic Multilingual Plane
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:preinstall | AI (install-scripts): Preinstall runs 'node-waf configure build', the legacy native addon build tool. This is a standard native extension build pattern for old Node.js packages, not malicious. | ai | |
| provenance | no-provenance | AI (provenance): Package is 14+ years old; provenance attestation did not exist when it was published. No concern for this package. | ai | |
| install-scripts | install-script:install | AI (install-scripts): node-gyp rebuild is the standard install script for native Node.js addons using nan; stable and expected for this package. | ai | |
| phantom-deps | phantom-dep:nan | AI (phantom-deps): nan is referenced in binding.gyp for native addon builds, not imported in JS. This is the standard pattern for native Node.js addons. | ai |
v0.2.0
2 findingsScript: node-gyp rebuild
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
2 findingsScript: node-waf configure build
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
2 findingsScript: node-waf configure build
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.