@canboat/canboatjs — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

sbender

Keywords

boatbuscancanboatkmarinenmea2000parserpgnsignalksignal

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding is part of NMEA2000/PGN protocol parsing, not obfuscation.	ai	2026/05/28
phantom-deps	phantom-dep:minimist	AI (phantom-deps): minimist is a declared runtime dependency in package.json; phantom-dep is a false positive.	ai	2026/05/28
semgrep	semgrep:hex-decode	AI (semgrep): Hex decoding appears in test files for binary protocol test vectors; not malicious.	ai	2026/05/28
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions publishing is attested via SLSA provenance; legitimate CI/CD migration for this established package.	ai	2026/05/24
publish-pattern	dormant-publish	AI (publish-pattern): SLSA provenance attestation confirms legitimate publish; dormancy explained by CI/CD migration.	ai	2026/05/24
phantom-deps	phantom-dep:split	AI (phantom-deps): Used in config/runtime contexts; stable false positive for this package.	ai	2026/05/23
phantom-deps	phantom-dep:dnssd	AI (phantom-deps): Used in config/runtime contexts; stable false positive for this package.	ai	2026/05/23
phantom-deps	phantom-dep:node-addon-api	AI (phantom-deps): node-addon-api is a build-time native addon dependency, not imported directly in JS — stable false positive.	ai	2026/04/29
install-scripts	install-script:install	AI (install-scripts): node-gyp rebuild with graceful fallback; consistent with gypfile:true and native CAN socket addon purpose.	ai	2026/04/29

Versions (showing 47 of 47)

Version	Deps	Published
3.19.0	11 / 27	2026-05-24
3.16.4	11 / 27	2026-04-25
3.16.3	11 / 27	2026-04-13
3.15.1	10 / 27	2026-03-20
3.15.0	10 / 27	2026-03-13
3.14.0	10 / 27	2026-03-06
3.13.2	10 / 27	2026-01-23
3.13.0	10 / 27	2025-12-12
3.12.2	10 / 27	2025-10-30
3.12.1	10 / 27	2025-10-29
3.12.0	10 / 27	2025-10-27
3.11.1	10 / 27	2025-10-16
3.11.0	10 / 28	2025-08-28
3.10.4	10 / 28	2025-08-19
3.10.3	10 / 28	2025-08-13
3.10.2	10 / 28	2025-08-08
3.10.1	10 / 28	2025-08-08
3.10.0	10 / 28	2025-08-07
3.9.2	10 / 28	2025-08-05
3.9.1	10 / 28	2025-08-05
3.9.0	10 / 28	2025-08-04
3.8.5	10 / 28	2025-08-01
3.8.4	10 / 28	2025-07-31
3.8.3	10 / 28	2025-07-31
3.8.2	10 / 28	2025-07-31
3.8.1	10 / 28	2025-07-31
3.8.0	10 / 28	2025-07-30
3.7.0	10 / 28	2025-07-29
3.6.0	10 / 28	2025-07-25
3.5.3	10 / 28	2025-07-21
3.5.2	10 / 28	2025-07-21
3.5.1	10 / 28	2025-07-21
3.5.0	10 / 27	2025-07-15
3.4.2	10 / 27	2025-07-13
3.4.1	10 / 27	2025-07-11
3.4.0	10 / 27	2025-07-09
3.3.5	10 / 27	2025-07-09
3.3.4	10 / 27	2025-07-09
3.3.3	10 / 27	2025-07-09
3.3.2	10 / 27	2025-07-09
3.3.1	10 / 27	2025-07-08
3.3.0	10 / 27	2025-07-06
3.2.4	10 / 27	2025-07-05
3.2.3	10 / 27	2025-07-03
3.2.2	10 / 27	2025-07-02
3.1.0	10 / 27	2025-07-02
3.0.0	10 / 11	2025-06-24

v3.19.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.16.4

2 findings

HIGH Package has 'install' script install-scripts

Script: node-gyp rebuild || echo 'Native CAN socket addon not available on this platform'

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.16.3

2 findings

HIGH Package has 'install' script install-scripts

Script: node-gyp rebuild || echo 'Native CAN socket addon not available on this platform'

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.15.1

2 findings

HIGH Publisher changed: sbender → GitHub Actions (on 2026-03-20) provenance

This version was published by a different npm account than previous versions on 2026-03-20. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.15.0

2 findings

HIGH Publisher changed: sbender → GitHub Actions (on 2026-03-13) provenance

This version was published by a different npm account than previous versions on 2026-03-13. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.14.0

2 findings

HIGH Publisher changed: sbender → GitHub Actions (on 2026-03-06) provenance

This version was published by a different npm account than previous versions on 2026-03-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.13.2

2 findings

HIGH Publisher changed: sbender → GitHub Actions (on 2026-01-23) provenance

This version was published by a different npm account than previous versions on 2026-01-23. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.