@gjsify/crypto — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jumplinkschanzewlsh

Keywords

gjsnodecrypto

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:@gjsify/utils	AI (phantom-deps): Same org scope; likely re-exported or used indirectly via build tooling, consistent with sibling packages.	ai	2026/05/28
phantom-deps	phantom-dep:@girs/glib-2.0	AI (phantom-deps): Referenced in config files per finding; not a direct import but a legitimate transitive/type dependency.	ai	2026/05/28
dependencies	unvetted-dep:@girs/glib-2.0	AI (dependencies): @girs/glib-2.0 is a GLib type binding, appropriate for a GJS-targeted crypto polyfill.	ai	2026/05/24
phantom-deps	phantom-dep:@gjsify/buffer	AI (phantom-deps): Same-org transitive dep; phantom-dep heuristic is a false positive for this package.	ai	2026/05/18
typosquat	typosquat.levenshtein:bcrypt	AI (typosquat): Scoped @gjsify/crypto is a GJS crypto polyfill, not a typosquat of bcrypt.	ai	2026/05/18
phantom-deps	phantom-dep:@gjsify/stream	AI (phantom-deps): Same-org transitive dep; phantom-dep heuristic is a false positive for this package.	ai	2026/05/18
semgrep	semgrep:base64-decode	AI (semgrep): PEM/DER parsing in a crypto library legitimately uses base64 decoding; not a malicious payload.	ai	2026/05/18
semgrep	semgrep:hex-decode	AI (semgrep): Hex decoding in cipher test vectors is expected in a crypto library; not obfuscation.	ai	2026/05/18