← Home

@herb-tools/node

npm Repository Homepage

Native Node.js addon for HTML-aware ERB parsing using Herb.

9
Versions
MIT
License
Yes
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

marcoroth

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
bogus-package bogus-package AI (bogus-package): Cosmetic signals only (short README, no keywords). Package has real functionality, 39 versions, 375 days old, and 182 weekly downloads. ai
typosquat typosquat.levenshtein:zod AI (typosquat): Scoped package @herb-tools/node is not impersonating zod; Levenshtein match is a false positive. Package is a native addon for ERB parsing with 375 days of history. ai
semgrep semgrep:child-process-import AI (semgrep): execSync in bin/vendor.cjs is used to set up native build dependencies (prism). Standard pattern for native addon build tooling. ai
install-scripts install-script:install AI (install-scripts): node-pre-gyp install --fallback-to-build is the canonical install pattern for native Node.js addons fetching prebuilt binaries from GitHub releases. Stable for this package. ai
phantom-deps phantom-dep:node-addon-api AI (phantom-deps): node-addon-api is referenced in binding.gyp for native compilation, not imported in JS. Normal for native addon packages. ai
phantom-deps phantom-dep:node-pre-gyp-github AI (phantom-deps): node-pre-gyp-github is a build/publish tool referenced in scripts, not imported in JS. Normal for native addon packages. ai
semgrep semgrep:dynamic-require AI (semgrep): require(libherbPath) loads the native .node binary via node-pre-gyp's binary.find(). Standard pattern for native addon loading; path is not user-controlled. ai

Versions (showing 9 of 9)

Version Deps Published
0.10.1 4 / 0
0.10.0 4 / 0
0.9.7 4 / 0
0.9.6 4 / 0
0.9.5 4 / 0
0.9.4 4 / 0
0.9.3 4 / 0
0.8.1 4 / 0
0.2.0 4 / 0

v0.10.1

2 findings
HIGH Package has 'install' script install-scripts

Script: yarn vendor && node-pre-gyp install --fallback-to-build

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.8.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.