@adhdev/ghostty-vt-node
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | bundled-binaries | AI (npm-metadata): Native Node binding; prebuilt platform/ABI-specific binaries are the documented distribution mechanism. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require iterates prebuilt binary candidates by ABI — standard native binding loader pattern. | ai | |
| phantom-deps | phantom-dep:node-addon-api | AI (phantom-deps): node-addon-api is used at build time via CMake/cmake-js, not directly imported in JS; stable false positive. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 0.8.51 | 1 / 1 |
v0.8.51
2 findingsPackage contains compiled binaries that could be backdoors: • prebuilt/linux-x64-node115/libghostty-vt.so.0.1.0 • prebuilt/linux-x64-node127/libghostty-vt.so.0.1.0 • prebuilt/linux-x64-node137/libghostty-vt.so.0.1.0 • prebuilt/linux-x64-node141/libghostty-vt.so.0.1.0 • prebuilt/win32-x64-node115/ghostty-vt.dll • prebuilt/win32-x64-node127/ghostty-vt.dll • prebuilt/darwin-arm64-node115/libghostty-vt.0.1.0.dylib • prebuilt/darwin-arm64-node127/libghostty-vt.0.1.0.dylib • prebuilt/darwin-arm64-node137/libghostty-vt.0.1.0.dylib • prebuilt/darwin-arm64-node141/libghostty-vt.0.1.0.dylib ... and 18 more
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.