@azure/msal-node-runtime
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): Sparse README/keywords are typical for SDK sub-packages from large orgs; not indicative of spam. | ai | |
| install-scripts | install-script:install | AI (install-scripts): copyBinaries.js is a standard binary-copy step for this native broker package; stable across versions. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): Bundled platform-specific DLLs and .node files are the core deliverable of this native broker add-on; expected and stable. | ai |
v0.20.5
3 findingsScript: node ./copyBinaries.js
Package contains compiled binaries that could be backdoors: • dist/windows/arm64/msalruntime_arm64.dll • dist/windows/x86/msalruntime_x86.dll • dist/windows/x64/msalruntime.dll • dist/macos/arm64/libmsalruntime_arm64.dylib • dist/macos/x64/libmsalruntime_x64.dylib • dist/linux/rhel10/x64/msal-node-runtime.node • dist/linux/rhel8_9/x64/msal-node-runtime.node • dist/linux/ubuntu/x64/msal-node-runtime.node • dist/macos/arm64/msal-node-runtime.node • dist/macos/x64/msal-node-runtime.node ... and 6 more
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.20.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.