← Home

@electric-sql/pglite

51
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

thrufloicehaunterkylemathewssgwillis

Keywords

postgressqldatabasewasmclientpglite

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff net-exec-file:dist/chunk-TDKVRJ2S.js AI (source-diff): Bundled tsup dist output (tar/pgp helpers); network+eval pattern is build artifact, stable FP for this package. ai
source-diff net-exec-file:dist/chunk-HXUXMFL7.js AI (source-diff): Bundled WASM/tar utility code for PGlite; network+exec pattern is inherent to the library's design. ai
source-diff net-exec-file:dist/chunk-SAANIQDT.js AI (source-diff): Bundled utility code for WASM Postgres; network+exec pattern is expected for this package. ai
source-diff net-exec-file:dist/chunk-E4Q7R6FO.js AI (source-diff): Bundled WASM loader + tar utilities; network+exec pattern is inherent to this package's design. ai
source-diff net-exec-file:dist/chunk-4QMGOB4T.js AI (source-diff): PGlite legitimately combines network calls with tar/binary processing to load WASM Postgres extensions. The new chunk contains tar utility code, not malware. SLSA provenance attestation confirms CI/CD build integrity. ai
source-diff obfuscated-file:dist/fs/base.cjs AI (source-diff): Standard esbuild/tsup minified bundle output for a WASM database library; corresponds to the legitimate ./basefs export. Not obfuscation. ai
source-diff obfuscated-file:dist/fs/opfs-ahp.js AI (source-diff): Standard minified build artifact for the OPFS-AHP filesystem backend; accompanied by source maps. Consistent with the package's documented purpose and build tooling. ai
source-diff obfuscated-file:dist/fs/opfs-ahp.cjs AI (source-diff): Standard minified build artifact for the OPFS-AHP filesystem backend; accompanied by source maps. Consistent with the package's documented purpose and build tooling. ai
source-diff net-exec-file:dist/chunk-QWXI4IVL.js AI (source-diff): Chunk contains a bundled TAR library (TMAGIC constants visible) needed for extension handling — legitimate build artifact, not dropper malware. ai
maintainer-change maintainer-added AI (maintainer-change): kylemathews is associated with the Electric SQL organization; addition aligns with CI/CD transition and is not a hostile takeover signal. ai
source-diff net-exec-file:dist/initdb.js AI (source-diff): Emscripten WASM loader with file I/O for loading .wasm binary — not network exfiltration. Standard pattern for WASM Postgres build. ai
source-diff obfuscated-file:dist/initdb.js AI (source-diff): Emscripten-generated WASM loader — standard output for WASM builds. Long lines are expected from Emscripten's minified module factory pattern. ai
source-diff net-exec-file:dist/chunk-IFMZIE5T.js AI (source-diff): Sample shows bundled tar-parsing utility code (tinytar devDep), not malware. Standard minified JS bundle for a WASM database package. ai
provenance publisher-changed AI (provenance): Publisher changed from personal account to GitHub Actions CI/CD, consistent with project maturation. SLSA provenance attestation confirms legitimate automated publishing pipeline. ai

Versions (showing 51 of 55)

View all versions
Version Deps Published
0.5.4 0 / 15
0.5.3 0 / 15
0.5.2 0 / 15
0.5.1 0 / 15
0.5.0 0 / 15
0.4.6 0 / 15
0.4.5 0 / 15
0.4.4 0 / 15
0.4.3 0 / 15
0.4.2 0 / 15
0.4.1 0 / 14
0.4.0 0 / 14
0.3.16 0 / 14
0.3.15 0 / 14
0.3.14 0 / 13
0.3.13 0 / 13
0.3.12 0 / 13
0.3.11 0 / 13
0.3.10 0 / 13
0.3.9 0 / 13
0.3.8 0 / 13
0.3.7 0 / 13
0.3.6 0 / 13
0.3.5 0 / 13
0.3.4 0 / 13
0.3.3 0 / 12
0.3.2 0 / 12
0.3.1 0 / 12
0.3.0 0 / 12
0.2.17 0 / 12
0.2.16 0 / 12
0.2.15 0 / 12
0.2.14 0 / 12
0.2.13 0 / 12
0.2.12 0 / 13
0.2.11 0 / 13
0.2.10 0 / 13
0.2.9 0 / 13
0.2.8 0 / 13
0.2.7 0 / 13
0.2.6 0 / 13
0.2.5 0 / 13
0.2.4 0 / 13
0.2.3 0 / 13
0.2.2 0 / 13
0.2.1 0 / 13
0.2.0 0 / 17
0.1.5 0 / 13
0.1.4 0 / 13
0.1.3 0 / 13
0.1.2 0 / 13

v0.5.4

2 findings
HIGH New file with network + code execution: dist/chunk-TDKVRJ2S.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.5.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.5.2

2 findings
HIGH New file with network + code execution: dist/chunk-HXUXMFL7.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.5.1

2 findings
HIGH New file with network + code execution: dist/chunk-SAANIQDT.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.5.0

2 findings
HIGH New file with network + code execution: dist/chunk-SAANIQDT.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.6

2 findings
HIGH New file with network + code execution: dist/chunk-E4Q7R6FO.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.