@thiagoelg/node-printer
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:install | AI (install-scripts): Standard prebuild-install || node-gyp rebuild pattern for native addon; stable for this package. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): Prebuilt .node binaries are expected for this native printer binding package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is used for printer interaction in a native binding; expected and documented. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads the platform-specific .node binary; standard native addon pattern. | ai | |
| phantom-deps | phantom-dep:prebuild-install | AI (phantom-deps): prebuild-install is a known implicit binary dependency used in the install script. | ai | |
| phantom-deps | phantom-dep:nan | AI (phantom-deps): nan is a native addon build dependency referenced in binding.gyp, not directly imported in JS. | ai |
v0.6.2
3 findingsScript: prebuild-install || node-gyp rebuild
Package contains compiled binaries that could be backdoors: • lib/node_printer.node
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.3
3 findingsScript: prebuild-install || node-gyp rebuild
Package contains compiled binaries that could be backdoors: • build/Release/node_printer.node • lib/node_printer.node
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.