@mcpmesh/core — Greenflagged

MCP Mesh Rust core bindings for Node.js

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

mcp-mesh

Keywords

mcpmeshagentnapirust

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Publisher is GitHub Actions CI/CD with SLSA provenance; this is the expected publisher for napi-rs packages built via automation.	ai	2026/05/22
typosquat	typosquat.levenshtein:cors	AI (typosquat): Scoped package @mcpmesh/core is a Rust/napi binding, not a typosquat of cors; name collision is coincidental.	ai	2026/04/30
semgrep	semgrep:child-process-execsync	AI (semgrep): execSync('ldd --version') is standard napi-rs musl detection boilerplate; no user input involved.	ai	2026/04/30
semgrep	semgrep:child-process-import	AI (semgrep): child_process used only for ldd musl detection in napi-rs scaffolding; benign pattern.	ai	2026/04/30
semgrep	semgrep:dynamic-require	AI (semgrep): NAPI_RS_NATIVE_LIBRARY_PATH override is standard napi-rs escape hatch for custom binary paths.	ai	2026/04/30
npm-metadata	bundled-binaries	AI (npm-metadata): Native .node binaries are the expected output of a napi-rs Rust binding package for multiple platforms.	ai	2026/04/30

Versions (showing 16 of 16)

Version	Deps	Published
2.4.0	0 / 1	2026-06-04
2.3.0	0 / 1	2026-05-23
2.2.4	0 / 1	2026-05-21
2.2.0	0 / 1	2026-05-19
2.1.0	0 / 1	2026-05-17
2.0.1	0 / 1	2026-05-16
2.0.0	0 / 1	2026-05-14
1.4.1	0 / 1	2026-04-28
1.4.0	0 / 1	2026-04-28
1.3.4	0 / 1	2026-04-18
1.3.3	0 / 1	2026-04-16
1.3.2	0 / 1	2026-04-15
1.3.1	0 / 1	2026-04-14
1.3.0	0 / 1	2026-04-14
1.2.0	0 / 1	2026-04-09
1.1.0	0 / 1	2026-04-05

v2.4.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.4

2 findings

HIGH Publisher changed: mcp-mesh → GitHub Actions (on 2026-05-21) provenance

This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.1

3 findings

HIGH Bundled binary files (4) npm-metadata

Package contains compiled binaries that could be backdoors: • mcp-mesh-core.darwin-arm64.node • mcp-mesh-core.darwin-x64.node • mcp-mesh-core.linux-arm64-gnu.node • mcp-mesh-core.linux-x64-gnu.node

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@mcpmesh/core' is 1 edit(s) away from popular package 'cors'.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.