@php-wasm/node-8-1 GPL-2.0-or-later 5 versions

@php-wasm/node-8-1

npm Repository Homepage

PHP 8.1 WebAssembly binaries for node

Versions

GPL-2.0-or-later

License

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

bgrgicakadamzielbrandonpayton-a8csejasdanielbachhuberyannickdecatjanjakesakirk

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:eval-usage	AI (semgrep): Emscripten WASM glue code uses eval() for ASM_CONSTS dynamic function registration — standard pattern in compiled WASM output.	ai	2026/04/29
semgrep	semgrep:child-process-import	AI (semgrep): child_process used in WASM glue to emulate PHP system() calls via spawnSync — expected in a PHP runtime package.	ai	2026/04/29
phantom-deps	phantom-dep:ini	AI (phantom-deps): ini is a legitimate runtime dep for config parsing; phantom-dep heuristic false positive for this package.	ai	2026/04/29
phantom-deps	phantom-dep:@php-wasm/universal	AI (phantom-deps): Same-org sibling dep; phantom-dep false positive for this monorepo package.	ai	2026/04/29

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.