@temporalio/core-bridge
Temporal.io SDK Core<>Node bridge
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): High-trust established package; missing attestation is a process gap, not a security risk for this publisher. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): Prebuilt .node native addons for multiple platforms; standard for Rust-based Node bindings. | ai | |
| phantom-deps | phantom-dep:cargo-cp-artifact | AI (phantom-deps): cargo-cp-artifact is used in build scripts/config rather than directly imported in JS — stable false positive for this native binding package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is used in the build script to invoke Cargo for native addon compilation. Legitimate and expected for this Rust/Node bridge package. | ai | |
| install-scripts | install-script:install | AI (install-scripts): Install script builds a Rust native addon via cargo — standard pattern for this package's Rust/Node bridge architecture, stable across all versions. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require() loads a platform-specific prebuilt native binary via getPrebuiltPath(). This is the standard native addon binary loading pattern for this package; stable across versions. | ai | |
| dependencies | unvetted-dep:@temporalio/common | AI (dependencies): @temporalio/common is a sibling package in the same Temporal SDK monorepo, always pinned to the same version. Not a supply chain risk. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 1.16.2 | 2 / 3 | |
| 1.16.1 | 2 / 3 | |
| 1.16.0 | 2 / 3 | |
| 1.15.0 | 2 / 3 | |
| 1.14.1 | 2 / 3 | |
| 1.14.0 | 5 / 0 | |
| 1.13.2 | 5 / 0 | |
| 1.13.0 | 5 / 0 | |
| 1.12.3 | 5 / 0 | |
| 1.12.2 | 5 / 0 | |
| 1.12.1 | 5 / 0 | |
| 1.12.0 | 5 / 0 | |
| 1.11.8 | 4 / 0 |
v1.16.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: temporal-sdk-team.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.8
2 findingsPackage contains compiled binaries that could be backdoors: • releases/aarch64-apple-darwin/index.node • releases/aarch64-unknown-linux-gnu/index.node • releases/x86_64-apple-darwin/index.node • releases/x86_64-pc-windows-msvc/index.node • releases/x86_64-unknown-linux-gnu/index.node
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.