yauzl — Greenflagged

yet another unzip library for node

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

superjoethejoshwolfe

Keywords

unzipzipstreamarchivefile

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	suspicious-initial-version	AI (npm-metadata): yauzl 0.0.0 is the legitimate historical first release of a well-established unzip library published 11+ years ago by a trusted maintainer. The 0.0.0 version is not indicative of malicious intent here.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): Publisher change from thejoshwolfe to superjoe occurred in 2014; superjoe is a long-standing trusted publisher (60 approved, 0 rejected). Legitimate maintainer transition confirmed by 11 years of subsequent clean releases.	ai	2026/04/22
provenance	missing-githead	AI (provenance): Missing gitHead is a historical artifact from a 2014 publish environment change; no security implication given the package's long clean track record.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): superjoe was added as maintainer in 2014; this is a historical, legitimate transition with no adverse signals across 33 subsequent versions.	ai	2026/04/22
dependencies	unvetted-dep:iconv	AI (dependencies): iconv is a legitimate encoding library; its use in a zip parser for filename encoding handling is expected and benign for this package.	ai	2026/04/22
phantom-deps	phantom-dep:pend	AI (phantom-deps): pend is a legitimate declared dependency used by yauzl for async flow control; phantom detection is a false positive for this package.	ai	2026/04/22
dependencies	unvetted-dep:fd-slicer	AI (dependencies): fd-slicer is a well-known, stable utility package commonly used alongside yauzl; no security concerns associated with it.	ai	2026/04/22
dependencies	unvetted-dep:pend	AI (dependencies): pend is a long-standing, stable dependency of yauzl; its use here is expected and consistent with prior versions of the package.	ai	2026/04/21
provenance	no-provenance	AI (provenance): yauzl is a long-established package (4261 days old); lack of provenance attestation is expected for packages published before Sigstore adoption.	ai	2026/04/21

Versions (showing 35 of 35)

Version	Deps	Published
3.3.2	1 / 1	2026-05-31
3.3.1	2 / 1	2026-05-21
3.3.0	2 / 1	2026-03-31
3.2.1	2 / 1	2026-03-10
3.2.0	2 / 1	2024-11-03
3.1.3	2 / 1	2024-04-19
3.1.2	2 / 1	2024-03-05
3.1.1	2 / 1	2024-02-27
3.1.0	2 / 1	2024-02-19
3.0.0	2 / 1	2024-02-15
2.10.0	2 / 3	2018-07-03
2.9.2	2 / 3	2018-06-03
2.9.1	2 / 3	2017-10-30
2.9.0	2 / 3	2017-10-28
2.8.0	2 / 3	2017-04-22
2.7.0	2 / 3	2016-10-25
2.6.0	2 / 3	2016-06-18
2.5.0	1 / 3	2016-06-08
2.4.3	1 / 3	2016-06-04
2.4.2	1 / 3	2016-05-09
2.4.1	1 / 3	2015-12-31
2.4.0	1 / 3	2015-12-31
2.3.1	2 / 1	2015-05-15
2.3.0	2 / 1	2015-04-29
2.2.1	2 / 1	2015-01-12
2.2.0	2 / 1	2014-12-03
2.1.0	2 / 0	2014-10-16
2.0.3	3 / 0	2014-10-16
2.0.2	3 / 0	2014-10-13
2.0.1	3 / 0	2014-09-29
2.0.0	3 / 0	2014-09-20
1.1.1	3 / 0	2014-09-03
1.1.0	3 / 0	2014-08-27
1.0.0	3 / 0	2014-08-27
0.0.0	1 / 0	2014-08-22

v3.3.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.4.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.1

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: superjoe.

HIGH Publisher changed: thejoshwolfe → superjoe (on 2014-09-29) provenance

This version was published by a different npm account than previous versions on 2014-09-29. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.1.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.