@fails-components/webtransport-transport-http3-quiche
4
Versions
—
License
Yes
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
martenrichter
Keywords
webtransport
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): SLSA provenance attestation confirms CI/CD publish; dormancy is benign for a low-traffic native addon. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads the native .node binary at a computed path; standard pattern for native addons. | ai | |
| phantom-deps | phantom-dep:bindings | AI (phantom-deps): bindings is a native addon utility used via build config, not direct import; stable false positive. | ai | |
| phantom-deps | phantom-dep:cmake-js | AI (phantom-deps): cmake-js is a build tool invoked by build.js, not imported directly; stable false positive. | ai | |
| install-scripts | install-script:install | AI (install-scripts): Native addon; install script fetches prebuilt binaries via prebuild-install, consistent with binary field in package.json. | ai | |
| phantom-deps | phantom-dep:prebuild-install | AI (phantom-deps): prebuild-install is invoked by build.js install script, not imported directly; stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/debug | AI (phantom-deps): Type-only package; never directly imported at runtime. Stable false positive. | ai | |
| phantom-deps | phantom-dep:node-addon-api | AI (phantom-deps): node-addon-api is a C++ header-only dependency used at build time, not imported in JS; stable false positive. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 1.6.3 | 6 / 14 | |
| 1.6.2 | 6 / 14 | |
| 1.6.1 | 6 / 14 | |
| 1.4.4 | 6 / 14 |
v1.6.3
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.2
2 findings
HIGH
Package has 'install' script
install-scripts
Script: node build.js install
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.1
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.4.4
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.