@napi-rs/canvas
Canvas for Node.js with skia backend
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@napi-rs/canvas-linux-arm64-musl | AI (dependencies): Standard napi-rs platform-specific optional binary package under the same org scope; identical pattern to other already-accepted platform variants. | ai | |
| phantom-deps | phantom-dep:@napi-rs/canvas-linux-arm64-musl | AI (phantom-deps): Dynamically loaded platform binary following napi-rs convention; not statically imported by design. Same pattern as other accepted platform variants. | ai | |
| dependencies | unvetted-dep:@node-rs/helper | AI (dependencies): @node-rs/helper is the standard napi-rs runtime helper for platform binary loading; legitimate dependency. | ai | |
| phantom-deps | phantom-dep:@napi-rs/canvas-win32-x64-msvc | AI (phantom-deps): Platform binaries are loaded dynamically via @node-rs/helper, not directly imported; expected napi-rs pattern. | ai | |
| phantom-deps | phantom-dep:@napi-rs/canvas-linux-arm64-gnu | AI (phantom-deps): Platform binaries are loaded dynamically via @node-rs/helper, not directly imported; expected napi-rs pattern. | ai | |
| phantom-deps | phantom-dep:@napi-rs/canvas-linux-arm-gnueabihf | AI (phantom-deps): Platform binaries are loaded dynamically via @node-rs/helper, not directly imported; expected napi-rs pattern. | ai | |
| provenance | no-provenance | AI (provenance): Version 0.0.3 predates npm Sigstore provenance support; absence is expected for packages published in this era. | ai | |
| dependencies | unvetted-dep:@napi-rs/canvas-darwin-x64 | AI (dependencies): Standard napi-rs platform-specific optional binary package; same org scope, expected distribution pattern. | ai | |
| dependencies | unvetted-dep:@napi-rs/canvas-darwin-arm64 | AI (dependencies): Standard napi-rs platform-specific optional binary package; same org scope, expected distribution pattern. | ai | |
| dependencies | unvetted-dep:@napi-rs/canvas-android-arm64 | AI (dependencies): Standard napi-rs platform-specific optional binary package; same org scope, expected distribution pattern. | ai | |
| dependencies | unvetted-dep:@napi-rs/canvas-linux-x64-gnu | AI (dependencies): Standard napi-rs platform-specific optional binary package; same org scope, expected distribution pattern. | ai | |
| dependencies | unvetted-dep:@napi-rs/canvas-linux-x64-musl | AI (dependencies): Standard napi-rs platform-specific optional binary package; same org scope, expected distribution pattern. | ai | |
| dependencies | unvetted-dep:@napi-rs/canvas-win32-x64-msvc | AI (dependencies): Standard napi-rs platform-specific optional binary package; same org scope, expected distribution pattern. | ai | |
| dependencies | unvetted-dep:@napi-rs/canvas-linux-arm64-gnu | AI (dependencies): Standard napi-rs platform-specific optional binary package; same org scope, expected distribution pattern. | ai | |
| dependencies | unvetted-dep:@napi-rs/canvas-linux-arm-gnueabihf | AI (dependencies): Standard napi-rs platform-specific optional binary package; same org scope, expected distribution pattern. | ai | |
| phantom-deps | phantom-dep:@napi-rs/canvas-darwin-x64 | AI (phantom-deps): Platform binaries are loaded dynamically via @node-rs/helper, not directly imported; expected napi-rs pattern. | ai | |
| phantom-deps | phantom-dep:@napi-rs/canvas-darwin-arm64 | AI (phantom-deps): Platform binaries are loaded dynamically via @node-rs/helper, not directly imported; expected napi-rs pattern. | ai | |
| phantom-deps | phantom-dep:@napi-rs/canvas-android-arm64 | AI (phantom-deps): Platform binaries are loaded dynamically via @node-rs/helper, not directly imported; expected napi-rs pattern. | ai | |
| phantom-deps | phantom-dep:@napi-rs/canvas-linux-x64-gnu | AI (phantom-deps): Platform binaries are loaded dynamically via @node-rs/helper, not directly imported; expected napi-rs pattern. | ai | |
| phantom-deps | phantom-dep:@napi-rs/canvas-linux-x64-musl | AI (phantom-deps): Platform binaries are loaded dynamically via @node-rs/helper, not directly imported; expected napi-rs pattern. | ai | |
| provenance | publisher-changed | AI (provenance): Package now publishes via GitHub Actions CI/CD with SLSA provenance attestation from the canonical Brooooooklyn/canvas repo. This is a legitimate automation transition, not a compromise. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is gated on NAPI_RS_NATIVE_LIBRARY_PATH env var — a documented napi-rs escape hatch for custom native library paths, stable for this package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used only to detect musl libc via 'ldd --version' for native binary selection — standard napi-rs pattern, stable across versions. | ai | |
| semgrep | semgrep:child-process-execsync | AI (semgrep): execSync('ldd --version') is a fixed, benign command for musl detection in napi-rs native bindings — not arbitrary shell execution. | ai |
Versions (showing 12 of 112)
| Version | Deps | Published |
|---|---|---|
| 0.1.0 | 10 / 28 | |
| 0.0.12 | 10 / 28 | |
| 0.0.11 | 10 / 28 | |
| 0.0.10 | 10 / 28 | |
| 0.0.9 | 10 / 28 | |
| 0.0.8 | 9 / 27 | |
| 0.0.7 | 9 / 26 | |
| 0.0.6 | 9 / 26 | |
| 0.0.5 | 9 / 26 | |
| 0.0.4 | 9 / 26 | |
| 0.0.3 | 9 / 26 | |
| 0.0.2 | 9 / 26 |
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.