@napi-rs/keyring-linux-arm64-musl MIT 6 versions

@napi-rs/keyring-linux-arm64-musl

npm Repository Homepage

https://github.com/hwchen/keyring-rs Node.js binding via https://napi.rs

6

Versions

MIT

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

broooooklynforehalo

Keywords

napi-rsNAPIN-APIRustnode-addonnode-addon-api

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from maintainer to GitHub Actions CI publishing is documented napi-rs pattern; SLSA provenance attestation confirms legitimate CI origin.	ai	2026/05/18
npm-metadata	bundled-binaries	AI (npm-metadata): Platform-specific napi-rs binary package; .node file is the intended deliverable, published with SLSA provenance.	ai	2026/05/04
bogus-package	bogus-package	AI (bogus-package): No-dep, minimal-README pattern is standard for napi-rs platform shim packages.	ai	2026/05/04

Versions (showing 6 of 6)

Version	Deps	Published
1.3.0	0 / 0	2026-04-30
1.2.0	0 / 0	2025-09-02
1.1.10	0 / 0	2025-08-29
1.1.9	0 / 0	2025-07-24
1.1.8	0 / 0	2025-05-20
1.1.7	0 / 0	2025-05-04

v1.3.0

2 findings

HIGH Bundled binary files (1) npm-metadata

Package contains compiled binaries that could be backdoors: • keyring.linux-arm64-musl.node

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.2.0

2 findings

HIGH Publisher changed: broooooklyn → GitHub Actions (on 2025-09-02) provenance

This version was published by a different npm account than previous versions on 2025-09-02. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.10

2 findings

HIGH Publisher changed: broooooklyn → GitHub Actions (on 2025-08-29) provenance

This version was published by a different npm account than previous versions on 2025-08-29. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.9

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.