@useragent-kit/chat-e2e-smoke-darwin-arm64
Prebuilt chat-e2e-smoke binary for macOS ARM64
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall only chmods the bundled binary; no network access or arbitrary code execution. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): Package is explicitly a prebuilt binary distribution for darwin/arm64; bundled binary is the intended artifact. | ai |
v0.0.5
3 findingsScript: node -e "var p=require('path').join(process.cwd(),'bin','chat-e2e-smoke');try{require('fs').chmodSync(p,0o755)}catch{}"
Package contains compiled binaries that could be backdoors: • bin/chat-e2e-smoke
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.4
3 findingsScript: node -e "var p=require('path').join(process.cwd(),'bin','chat-e2e-smoke');try{require('fs').chmodSync(p,0o755)}catch{}"
Package contains compiled binaries that could be backdoors: • bin/chat-e2e-smoke
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.3
3 findingsScript: node -e "var p=require('path').join(process.cwd(),'bin','chat-e2e-smoke');try{require('fs').chmodSync(p,0o755)}catch{}"
Package contains compiled binaries that could be backdoors: • bin/chat-e2e-smoke
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.