@confluentinc/kafka-javascript
2
Versions
—
License
Yes
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
confluent-npmspanwar
Keywords
kafkalibrdkafka
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:install | AI (install-scripts): node-pre-gyp install --fallback-to-build is the standard install pattern for native Node.js addons; stable and expected for this librdkafka binding package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process in util/configure.js is used for build configuration in a native addon — standard pattern, not a security concern for this package. | ai | |
| phantom-deps | phantom-dep:nan | AI (phantom-deps): nan is a declared runtime dep used at the C++ native binding layer, not directly imported in JS. Normal for native addons. | ai | |
| phantom-deps | phantom-dep:@mapbox/node-pre-gyp | AI (phantom-deps): @mapbox/node-pre-gyp is referenced in build/config files as expected for native addon binary management; not a phantom dep concern. | ai |
v1.9.0
2 findings
HIGH
Package has 'install' script
install-scripts
Script: node-pre-gyp install --fallback-to-build
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.0
2 findings
HIGH
Package has 'install' script
install-scripts
Script: node-pre-gyp install --fallback-to-build
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.