← Home

x-default-browser

npm Repository Homepage

Detect default web browser of the current user, cross-platform (Win/Lin/Mac)

7
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jakub-g

Keywords

windowsubuntulinuxdefaultbrowser

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
maintainer-change maintainer-added AI (maintainer-change): jakub-g was added as maintainer in 2015; this is a stable, long-standing legitimate ownership state. ai
maintainer-change maintainer-removed AI (maintainer-change): ariatemplates removal is part of the 2015 legitimate ownership transfer; no ongoing risk. ai
maintainer-change maintainer-takeover AI (maintainer-change): Publisher change occurred in Jan 2015 (~10 years ago); jakub-g has 8 approved packages, repo URL matches publisher identity, and no malicious signals have ever materialized. Legitimate historical transfer. ai
provenance publisher-changed AI (provenance): Publisher change to jakub-g happened in 2015; consistent with repo ownership and long-standing clean track record. Not an active risk. ai
semgrep semgrep:child-process-import AI (semgrep): x-default-browser uses child_process to run system commands (e.g., xdg-settings) to detect the default browser on Linux — this is core to the package's documented purpose and not a security risk. ai

Versions (showing 7 of 7)

Version Deps Published
0.5.2 1 / 3
0.5.1 1 / 3
0.5.0 1 / 3
0.4.0 1 / 3
0.3.1 1 / 3
0.3.0 1 / 3
0.2.0 1 / 3

v0.5.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.1

3 findings
HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (ariatemplates) were replaced by new maintainers (jakub-g). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: ariatemplates → jakub-g (on 2015-11-19) provenance

This version was published by a different npm account than previous versions on 2015-11-19. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.0

3 findings
HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (ariatemplates) were replaced by new maintainers (jakub-g). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: ariatemplates → jakub-g (on 2015-01-16) provenance

This version was published by a different npm account than previous versions on 2015-01-16. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.