@astronautlabs/webrtc — Greenflagged

Standards-compliant WebRTC implementation for Node

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

rezonant

Keywords

webrtcp2ppeer

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
install-scripts	install-script:install	AI (install-scripts): Runs 'twine install' to fetch prebuilt binaries via @astronautlabs/twine; documented pattern for this native binding package.	ai	2026/05/19
semgrep	semgrep:child-process-import	AI (semgrep): child_process used in build-from-source.js helper script for native compilation; not in install path.	ai	2026/05/19
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require loads a local package.json path in an install-example helper script; not arbitrary module loading.	ai	2026/05/19
phantom-deps	phantom-dep:nan	AI (phantom-deps): nan is a native addon build dependency referenced in CMake/binding config, not directly imported in JS.	ai	2026/05/19
phantom-deps	phantom-dep:libyuv	AI (phantom-deps): libyuv is a native C++ dependency referenced in build config, not imported in JS.	ai	2026/05/19
phantom-deps	phantom-dep:node-cmake	AI (phantom-deps): node-cmake is a build tool used via ncmake CLI, not imported in JS.	ai	2026/05/19
phantom-deps	phantom-dep:node-addon-api	AI (phantom-deps): node-addon-api is a native addon build dependency referenced in config, not imported in JS.	ai	2026/05/19
phantom-deps	phantom-dep:@astronautlabs/twine	AI (phantom-deps): Used as CLI tool in install script, not imported as JS module.	ai	2026/05/19
phantom-deps	phantom-dep:@astronautlabs/segfault-handler	AI (phantom-deps): Same-org native crash handler; likely loaded conditionally at runtime.	ai	2026/05/19

Versions (showing 3 of 3)

Version	Deps	Published
0.5.5	7 / 46	2026-04-30
0.5.4	7 / 46	2026-04-30
0.5.3	7 / 46	2026-04-29

v0.5.5

2 findings

HIGH Package has 'install' script install-scripts

Script: twine install

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.3

2 findings

HIGH Package has 'install' script install-scripts

Script: twine install

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.