@node-rs/bcrypt
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require via @node-rs/helper's locateBinding is the canonical pattern for resolving platform-specific .node binaries; not arbitrary code loading. | ai | |
| typosquat | typosquat.levenshtein:bcryptjs | AI (typosquat): @node-rs/bcrypt is a scoped package in the publisher's own namespace, not an impersonation of bcryptjs. False positive for this package. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): Bundled .node files are expected native N-API/napi-rs Rust bindings for this package; stable pattern across all versions. | ai | |
| phantom-deps | phantom-dep:@node-rs/bcrypt-freebsd-x64 | AI (phantom-deps): Standard NAPI-RS pattern: platform-specific optional dep loaded via @node-rs/helper at runtime, not via direct import. Same org scope, no malicious signal. | ai | |
| phantom-deps | phantom-dep:@node-rs/bcrypt-win32-arm64-msvc | AI (phantom-deps): Standard NAPI-RS pattern: platform-specific optional dep loaded via @node-rs/helper at runtime, not via direct import. Same org scope, no malicious signal. | ai | |
| phantom-deps | phantom-dep:@node-rs/bcrypt-linux-arm64-musl | AI (phantom-deps): Standard NAPI-RS pattern: platform-specific optional dep loaded via @node-rs/helper at runtime, not via direct import. Same org scope, no malicious signal. | ai | |
| semgrep | semgrep:child-process-execsync | AI (semgrep): execSync('which ldd') is a hardcoded musl detection call in the NAPI binding loader — benign and stable across all versions of this package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process usage is limited to 'which ldd' for musl detection in NAPI binary selection — standard napi-rs pattern, no user input or network involved. | ai | |
| phantom-deps | phantom-dep:@node-rs/bcrypt-android-arm-eabi | AI (phantom-deps): napi-rs platform binaries are optional deps selected at runtime by the loader; they are never directly imported in JS. This is the standard pattern for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @node-rs/bcrypt-android-arm-eabi is a platform-specific optional binary in the same org scope, following the established napi-rs multi-platform distribution pattern. Not a supply-chain risk. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is explained by removal of @node-rs/helper and inline generation of platform-detection loader code by napi prepublish tooling. Expected for this migration. | ai | |
| phantom-deps | phantom-dep:@node-rs/bcrypt-darwin-arm64 | AI (phantom-deps): Platform-specific optional binary loaded dynamically via @node-rs/helper; not directly imported by design. Standard napi-rs pattern. | ai | |
| phantom-deps | phantom-dep:@node-rs/bcrypt-linux-arm-gnueabihf | AI (phantom-deps): Platform-specific optional binary loaded dynamically via @node-rs/helper; not directly imported by design. Standard napi-rs pattern. | ai | |
| phantom-deps | phantom-dep:@node-rs/bcrypt-win32-ia32-msvc | AI (phantom-deps): Platform-specific optional binary loaded dynamically via @node-rs/helper; not directly imported by design. Standard napi-rs pattern. | ai | |
| phantom-deps | phantom-dep:@node-rs/bcrypt-linux-arm64-gnu | AI (phantom-deps): Platform-specific optional binary loaded dynamically via @node-rs/helper; not directly imported by design. Standard napi-rs pattern. | ai | |
| phantom-deps | phantom-dep:@node-rs/bcrypt-win32-x64-msvc | AI (phantom-deps): Platform-specific optional binary loaded dynamically via @node-rs/helper; not directly imported by design. Standard napi-rs pattern. | ai | |
| phantom-deps | phantom-dep:@node-rs/bcrypt-linux-x64-musl | AI (phantom-deps): Platform-specific optional binary loaded dynamically via @node-rs/helper; not directly imported by design. Standard napi-rs pattern. | ai | |
| phantom-deps | phantom-dep:@node-rs/bcrypt-linux-x64-gnu | AI (phantom-deps): Platform-specific optional binary loaded dynamically via @node-rs/helper; not directly imported by design. Standard napi-rs pattern. | ai | |
| phantom-deps | phantom-dep:@node-rs/bcrypt-android-arm64 | AI (phantom-deps): Platform-specific optional binary loaded dynamically via @node-rs/helper; not directly imported by design. Standard napi-rs pattern. | ai | |
| phantom-deps | phantom-dep:@node-rs/bcrypt-darwin-x64 | AI (phantom-deps): Platform-specific optional binary loaded dynamically via @node-rs/helper; not directly imported by design. Standard napi-rs pattern. | ai |
Versions (showing 42 of 42)
| Version | Deps | Published |
|---|---|---|
| 1.10.7 | 0 / 9 | |
| 1.10.5 | 0 / 5 | |
| 1.10.4 | 14 / 5 | |
| 1.10.3 | 14 / 5 | |
| 1.10.2 | 14 / 5 | |
| 1.10.1 | 14 / 5 | |
| 1.10.0 | 14 / 5 | |
| 1.9.2 | 14 / 5 | |
| 1.9.1 | 14 / 5 | |
| 1.9.0 | 14 / 5 | |
| 1.8.1 | 14 / 5 | |
| 1.8.0 | 14 / 5 | |
| 1.7.3 | 13 / 5 | |
| 1.7.1 | 13 / 4 | |
| 1.7.0 | 13 / 4 | |
| 1.6.2 | 13 / 3 | |
| 1.6.1 | 13 / 3 | |
| 1.6.0 | 13 / 3 | |
| 1.5.5 | 13 / 3 | |
| 1.5.4 | 13 / 3 | |
| 1.5.3 | 0 / 3 | |
| 1.5.2 | 13 / 3 | |
| 1.5.1 | 13 / 3 | |
| 1.5.0 | 13 / 3 | |
| 1.4.2 | 13 / 3 | |
| 1.4.1 | 13 / 3 | |
| 1.4.0 | 13 / 3 | |
| 1.3.0 | 13 / 3 | |
| 1.2.2 | 13 / 3 | |
| 1.2.1 | 10 / 3 | |
| 1.2.0 | 10 / 3 | |
| 1.1.0 | 10 / 2 | |
| 1.0.0 | 9 / 2 | |
| 0.5.0 | 4 / 1 | |
| 0.4.1 | 1 / 1 | |
| 0.4.0 | 1 / 1 | |
| 0.3.3 | 1 / 1 | |
| 0.3.2 | 1 / 1 | |
| 0.3.1 | 1 / 1 | |
| 0.3.0 | 1 / 1 | |
| 0.2.0 | 1 / 1 | |
| 0.1.0 | 1 / 1 |
v1.10.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.10.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.10.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.10.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.10.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.9.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.9.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.9.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.8.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.7.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.7.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: broooooklyn.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
2 findingsPackage contains compiled binaries that could be backdoors: • bcrypt.darwin.node • bcrypt.linux.node • bcrypt.win32.node
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.