bare-crypto
Cryptographic primitives for JavaScript
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | bundled-binaries | AI (npm-metadata): Native addon with source code included; prebuilds are the documented distribution mechanism for bare-* addons. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 1.15.3 | 2 / 7 | |
| 1.15.2 | 2 / 7 | |
| 1.15.1 | 2 / 7 | |
| 1.15.0 | 2 / 7 | |
| 1.14.1 | 2 / 7 | |
| 1.14.0 | 2 / 7 | |
| 1.13.7 | 2 / 7 | |
| 1.13.6 | 2 / 7 | |
| 1.13.5 | 2 / 7 | |
| 1.13.4 | 2 / 6 |
v1.15.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.15.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.15.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.15.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.14.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.14.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.13.7
2 findingsPackage contains compiled binaries that could be backdoors: • prebuilds/android-arm/bare-crypto.bare • prebuilds/android-arm64/bare-crypto.bare • prebuilds/android-ia32/bare-crypto.bare • prebuilds/android-x64/bare-crypto.bare • prebuilds/darwin-arm64/bare-crypto.bare • prebuilds/darwin-x64/bare-crypto.bare • prebuilds/ios-arm64-simulator/bare-crypto.bare • prebuilds/ios-arm64/bare-crypto.bare • prebuilds/ios-x64-simulator/bare-crypto.bare • prebuilds/linux-arm64/bare-crypto.bare ... and 3 more
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.13.6
2 findingsPackage contains compiled binaries that could be backdoors: • prebuilds/android-arm/bare-crypto.bare • prebuilds/android-arm64/bare-crypto.bare • prebuilds/android-ia32/bare-crypto.bare • prebuilds/android-x64/bare-crypto.bare • prebuilds/darwin-arm64/bare-crypto.bare • prebuilds/darwin-x64/bare-crypto.bare • prebuilds/ios-arm64-simulator/bare-crypto.bare • prebuilds/ios-arm64/bare-crypto.bare • prebuilds/ios-x64-simulator/bare-crypto.bare • prebuilds/linux-arm64/bare-crypto.bare ... and 3 more
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.13.5
2 findingsPackage contains compiled binaries that could be backdoors: • prebuilds/android-arm/bare-crypto.bare • prebuilds/android-arm64/bare-crypto.bare • prebuilds/android-ia32/bare-crypto.bare • prebuilds/android-x64/bare-crypto.bare • prebuilds/darwin-arm64/bare-crypto.bare • prebuilds/darwin-x64/bare-crypto.bare • prebuilds/ios-arm64-simulator/bare-crypto.bare • prebuilds/ios-arm64/bare-crypto.bare • prebuilds/ios-x64-simulator/bare-crypto.bare • prebuilds/linux-arm64/bare-crypto.bare ... and 3 more
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.