@ossiana/node-libcurl MIT 2 versions

@ossiana/node-libcurl

## Different with Nodejs fetch api * The fingerprint can be customized to look like chrome or firefox ,it modified the BoringSSL extension, set the custom cipher suite with Libcurl ------------

Versions

MIT

License

Yes

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

ossiana

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
install-scripts	install-script:install	AI (install-scripts): Install script is a no-op colon command; not executable code.	ai	2026/04/29
semgrep	semgrep:child-process-execsync	AI (semgrep): execSync used only to locate ldd binary; standard native addon detection pattern.	ai	2026/04/29
semgrep	semgrep:child-process-import	AI (semgrep): child_process import is for ldd detection in postinstall; benign native binding pattern.	ai	2026/04/29
phantom-deps	phantom-dep:node-addon-api	AI (phantom-deps): node-addon-api is a build-time native addon dependency; not directly imported in JS but used in native compilation.	ai	2026/04/29

Versions (showing 2 of 2)

Version	Deps	Published
1.8.8	1 / 6	2026-04-29
1.8.7	1 / 6	2026-04-26

v1.8.8

2 findings

HIGH Package has 'install' script install-scripts

Script: :

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.