← Home

bson

A bson parser for node.js and the browser

51
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

dariakpdbx-node

Keywords

mongodbbsonparser

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff net-exec-file:browser_build/bson.js AI (source-diff): browser_build/bson.js is a standard webpack UMD bundle for browser compatibility. The 'network + code execution' detection is a false positive on webpack's __webpack_require__ module loader pattern. ai
source-diff net-exec-file:src/utils/global.ts AI (source-diff): False positive: TypeScript source for the same cross-environment global detection utility. No network calls; Function() usage is a documented globalThis polyfill pattern. ai
source-diff net-exec-file:lib/utils/global.js AI (source-diff): False positive: file contains a standard cross-environment global detection utility using Function('return this')() — a documented pattern from core-js with no actual network calls or malicious behavior. ai
source-diff obfuscated-file:vendor/text-encoding/lib/encoding-indexes.js AI (source-diff): This file is the standard text-encoding polyfill's character index table (large arrays of code points), vendored from the well-known open-source [email protected] library. Not obfuscated malicious code. ai
source-diff source-size-tripled AI (source-diff): Size tripling explained by addition of multiple browser bundle distribution files (ESM, UMD, bundle) — legitimate build artifact expansion. ai
source-diff large-new-source-files AI (source-diff): Size increase is due to added browser bundle dist files (rollup output) and TypeScript sources — standard for bson's build process. ai
publish-pattern new-deps-added AI (publish-pattern): The 'buffer' package is a well-known Node.js Buffer polyfill for browsers, added to support new browser bundle distribution. ai
maintainer-change maintainer-removed AI (maintainer-change): Previous maintainers (christkv, daprahamian, octave) removed as part of MongoDB team transition; consistent with legitimate org change. ai
maintainer-change maintainer-added AI (maintainer-change): nbbeeken is a MongoDB employee with established npm history (2017); legitimate team transition for mongodb/js-bson. ai
source-diff net-exec-file:dist/bson.bundle.js AI (source-diff): Standard rollup bundle output for bson. No malicious patterns. ai
source-diff net-exec-file:lib/map.js AI (source-diff): Map polyfill using Function('return this')() for cross-environment global detection — well-known safe pattern. ai
source-diff net-exec-file:src/map.ts AI (source-diff): TypeScript source for Map polyfill. Same safe cross-environment global detection pattern. ai
semgrep semgrep:new-function-constructor AI (semgrep): Used in isolateEval() for BSON JavaScript code type deserialization — a documented BSON feature, not malicious. ai
source-diff net-exec-file:dist/bson.browser.esm.js AI (source-diff): Standard rollup-bundled browser ESM output with TypeScript helpers and BSON logic. No actual network calls or malicious execution. ai
source-diff net-exec-file:dist/bson.browser.umd.js AI (source-diff): Standard rollup UMD bundle output. No malicious network or execution patterns. ai
source-diff net-exec-file:dist/bson.esm.js AI (source-diff): Standard rollup ESM bundle. Imports 'buffer' polyfill for browser compatibility — legitimate. ai
source-diff net-exec-file:dist/bson.js AI (source-diff): dist/bson.js is a standard UMD browser bundle built by rollup (prepublishOnly). The sample shows UMD boilerplate and a Map polyfill — no actual network calls or malicious execution. False positive for this build artifact. ai
semgrep semgrep:eval-usage AI (semgrep): eval() in BSON deserializer reconstructs JavaScript function objects stored as BSON Code type — a documented BSON feature, not a supply-chain risk. ai
provenance publisher-changed AI (provenance): Publisher change from mbroadst to nbbeeken is a documented MongoDB team transition; nbbeeken has established history. ai
semgrep semgrep:base64-decode AI (semgrep): Base64 decoding is core BSON binary type serialization — expected and legitimate. ai
semgrep semgrep:hex-decode AI (semgrep): Hex decoding used for ObjectId construction — core BSON functionality. ai
bogus-package bogus-package AI (bogus-package): Inflated semver and mass-production signals are false positives: this is the official MongoDB BSON library migrating to a new publisher account with SLSA provenance attestation. ai
semgrep semgrep:child-process-import AI (semgrep): child_process used in etc/prepare.js build script only, not runtime code. ai

Versions (showing 51 of 74)

Show 1 prerelease View all versions
Version Deps Published
7.3.1 0 / 34
7.3.0 0 / 34
7.2.0 0 / 34
7.1.1 0 / 34
7.1.0 0 / 34
7.0.0 0 / 34
6.10.4 0 / 35
6.10.3 0 / 35
6.10.2 0 / 35
6.10.1 0 / 35
6.10.0 0 / 36
6.9.1 0 / 36
6.9.0 0 / 36
6.8.1 0 / 36
6.8.0 0 / 36
6.7.1 0 / 37
6.7.0 0 / 37
6.6.1 0 / 37
6.6.0 0 / 37
6.5.1 0 / 37
6.5.0 0 / 37
6.4.1 0 / 37
6.4.0 0 / 37
6.3.0 0 / 37
6.2.0 0 / 36
6.1.0 0 / 36
6.0.0 0 / 36
5.5.1 0 / 36
5.4.0 0 / 36
5.3.0 0 / 36
5.2.0 0 / 36
5.1.0 0 / 36
5.0.1 0 / 36
5.0.0 0 / 35
4.7.2 1 / 44
4.7.1 1 / 44
4.7.0 1 / 44
4.6.5 1 / 43
4.6.4 1 / 43
4.6.3 1 / 43
4.6.2 1 / 43
4.6.1 1 / 43
4.6.0 1 / 43
4.5.4 1 / 43
4.5.3 1 / 43
4.5.2 1 / 41
4.5.1 1 / 40
4.5.0 1 / 40
4.4.1 1 / 40
4.4.0 1 / 40
4.3.0 1 / 40

v7.3.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.3.0

2 findings
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: dbx-node → GitHub Actions (on 2026-06-17) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-06-17. This could indicate a legitimate maintainer transition or an account compromise.