zlib — Greenflagged

Simple, synchronous deflate/inflate for buffers

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

kkaefertmcwyhahnwillwhitespringmeyer

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	source-size-tripled	AI (source-diff): zlib is a native C/C++ addon; large source size increases are expected as native binding source files (C/C++, build configs) are much larger than JS wrappers. Stable pattern for this package.	ai	2026/04/24
license	uncommon-license:BSD	AI (license): BSD is a well-known permissive license; the uncommon-license flag is a false positive for this package.	ai	2026/04/24
typosquat	typosquat.levenshtein:glob	AI (typosquat): 'zlib' is the canonical name for the zlib compression library, not a typosquat of 'glob'. The Levenshtein match is coincidental; this package is 15 years old with 400k+ weekly downloads.	ai	2026/04/24
install-scripts	install-script:preinstall	AI (install-scripts): node-waf configure build is the standard native addon build step for early Node.js C/C++ bindings; stable for this package.	ai	2026/04/23
bogus-package	bogus-package	AI (bogus-package): Native addon: main is ./lib/zlib (compiled), no npm deps expected, no keywords typical for vintage packages.	ai	2026/04/23

Versions (showing 5 of 5)

Version	Deps	Published
1.0.5	0 / 0	2011-08-08
1.0.4	0 / 0	2011-06-22
1.0.2	0 / 0	2011-03-11
1.0.1	0 / 0	2011-03-11
1.0.0	0 / 0	2011-03-11