← Home

zlibcontext

npm Repository Homepage

Simple, synchronous deflate/inflate for buffers (ZLibContext modification)

4
Versions
License
Yes
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

fedor.indutny

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
install-scripts install-script:preinstall AI (install-scripts): node-waf configure build is the canonical pre-node-gyp native addon build command for early Node.js packages (~2010-2012). This is a legitimate zlib native binding, not malicious. ai
npm-metadata bundled-binaries AI (npm-metadata): Binaries are compiled native addon artifacts (.node, .o files) from building a C++ zlib binding. Expected output for a native Node.js addon from this era. ai
install-scripts install-script:install AI (install-scripts): This is a native C zlib binding; './configure && make' is the standard build pattern for native Node.js addons. Stable and expected for this package. ai
bogus-package bogus-package AI (bogus-package): Signals (no keywords, no deps, tiny index.js) are consistent with a minimal native binding wrapper, not spam. Package has legitimate purpose and trusted publisher. ai

Versions (showing 4 of 4)

Version Deps Published
1.0.9 0 / 0
1.0.7 0 / 0
1.0.5 0 / 0
1.0.4 0 / 0

v1.0.9

2 findings
HIGH Package has 'install' script install-scripts

Script: ./configure && make

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.5

2 findings
HIGH Bundled binary files (5) npm-metadata

Package contains compiled binaries that could be backdoors: • lib/zlib_bindings.node • build/.conf_check_0/testbuild/default/test_1.o • build/.conf_check_0/testbuild/default/testprog • build/default/src/node_zlib_1.o • build/default/zlib_bindings.node

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.4

3 findings
HIGH Package has 'preinstall' script install-scripts

Script: node-waf clean || true; node-waf configure build

HIGH Bundled binary files (5) npm-metadata

Package contains compiled binaries that could be backdoors: • lib/zlib_bindings.node • build/.conf_check_0/testbuild/default/test_1.o • build/.conf_check_0/testbuild/default/testprog • build/default/src/node_zlib_1.o • build/default/zlib_bindings.node

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.