bson
A bson parser for node.js and the browser
75
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
dariakpdbx-node
Keywords
mongodbbsonparser
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:browser_build/bson.js | AI (source-diff): browser_build/bson.js is a standard webpack UMD bundle for browser compatibility. The 'network + code execution' detection is a false positive on webpack's __webpack_require__ module loader pattern. | ai | |
| source-diff | net-exec-file:src/utils/global.ts | AI (source-diff): False positive: TypeScript source for the same cross-environment global detection utility. No network calls; Function() usage is a documented globalThis polyfill pattern. | ai | |
| source-diff | net-exec-file:lib/utils/global.js | AI (source-diff): False positive: file contains a standard cross-environment global detection utility using Function('return this')() — a documented pattern from core-js with no actual network calls or malicious behavior. | ai | |
| source-diff | obfuscated-file:vendor/text-encoding/lib/encoding-indexes.js | AI (source-diff): This file is the standard text-encoding polyfill's character index table (large arrays of code points), vendored from the well-known open-source [email protected] library. Not obfuscated malicious code. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size tripling explained by addition of multiple browser bundle distribution files (ESM, UMD, bundle) — legitimate build artifact expansion. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Size increase is due to added browser bundle dist files (rollup output) and TypeScript sources — standard for bson's build process. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): The 'buffer' package is a well-known Node.js Buffer polyfill for browsers, added to support new browser bundle distribution. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Previous maintainers (christkv, daprahamian, octave) removed as part of MongoDB team transition; consistent with legitimate org change. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): nbbeeken is a MongoDB employee with established npm history (2017); legitimate team transition for mongodb/js-bson. | ai | |
| source-diff | net-exec-file:dist/bson.bundle.js | AI (source-diff): Standard rollup bundle output for bson. No malicious patterns. | ai | |
| source-diff | net-exec-file:lib/map.js | AI (source-diff): Map polyfill using Function('return this')() for cross-environment global detection — well-known safe pattern. | ai | |
| source-diff | net-exec-file:src/map.ts | AI (source-diff): TypeScript source for Map polyfill. Same safe cross-environment global detection pattern. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used in isolateEval() for BSON JavaScript code type deserialization — a documented BSON feature, not malicious. | ai | |
| source-diff | net-exec-file:dist/bson.browser.esm.js | AI (source-diff): Standard rollup-bundled browser ESM output with TypeScript helpers and BSON logic. No actual network calls or malicious execution. | ai | |
| source-diff | net-exec-file:dist/bson.browser.umd.js | AI (source-diff): Standard rollup UMD bundle output. No malicious network or execution patterns. | ai | |
| source-diff | net-exec-file:dist/bson.esm.js | AI (source-diff): Standard rollup ESM bundle. Imports 'buffer' polyfill for browser compatibility — legitimate. | ai | |
| source-diff | net-exec-file:dist/bson.js | AI (source-diff): dist/bson.js is a standard UMD browser bundle built by rollup (prepublishOnly). The sample shows UMD boilerplate and a Map polyfill — no actual network calls or malicious execution. False positive for this build artifact. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in BSON deserializer reconstructs JavaScript function objects stored as BSON Code type — a documented BSON feature, not a supply-chain risk. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from mbroadst to nbbeeken is a documented MongoDB team transition; nbbeeken has established history. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding is core BSON binary type serialization — expected and legitimate. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding used for ObjectId construction — core BSON functionality. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Inflated semver and mass-production signals are false positives: this is the official MongoDB BSON library migrating to a new publisher account with SLSA provenance attestation. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used in etc/prepare.js build script only, not runtime code. | ai |
Versions (showing 75 of 75)
| Version | Deps | Published |
|---|---|---|
| 7.3.1 | 0 / 34 | |
| 7.3.0 | 0 / 34 | |
| 7.2.0 | 0 / 34 | |
| 7.1.1 | 0 / 34 | |
| 7.1.0 | 0 / 34 | |
| 7.0.0 | 0 / 34 | |
| 6.10.4 | 0 / 35 | |
| 6.10.3 | 0 / 35 | |
| 6.10.2 | 0 / 35 | |
| 6.10.1 | 0 / 35 | |
| 6.10.0 | 0 / 36 | |
| 6.9.1 | 0 / 36 | |
| 6.9.0 | 0 / 36 | |
| 6.8.1 | 0 / 36 | |
| 6.8.0 | 0 / 36 | |
| 6.7.1 | 0 / 37 | |
| 6.7.0 | 0 / 37 | |
| 6.6.1 | 0 / 37 | |
| 6.6.0 | 0 / 37 | |
| 6.5.1 | 0 / 37 | |
| 6.5.0 | 0 / 37 | |
| 6.4.1 | 0 / 37 | |
| 6.4.0 | 0 / 37 | |
| 6.3.0 | 0 / 37 | |
| 6.2.0 | 0 / 36 | |
| 6.1.0 | 0 / 36 | |
| 6.0.0 | 0 / 36 | |
| 5.5.1 | 0 / 36 | |
| 5.4.0 | 0 / 36 | |
| 5.3.0 | 0 / 36 | |
| 5.2.0 | 0 / 36 | |
| 5.1.0 | 0 / 36 | |
| 5.0.1 | 0 / 36 | |
| 5.0.0 | 0 / 35 | |
| 4.7.2 | 1 / 44 | |
| 4.7.1 | 1 / 44 | |
| 4.7.0 | 1 / 44 | |
| 4.6.5 | 1 / 43 | |
| 4.6.4 | 1 / 43 | |
| 4.6.3 | 1 / 43 | |
| 4.6.2 | 1 / 43 | |
| 4.6.1 | 1 / 43 | |
| 4.6.0 | 1 / 43 | |
| 4.5.4 | 1 / 43 | |
| 4.5.3 | 1 / 43 | |
| 4.5.2 | 1 / 41 | |
| 4.5.1 | 1 / 40 | |
| 4.5.0 | 1 / 40 | |
| 4.4.1 | 1 / 40 | |
| 4.4.0 | 1 / 40 | |
| 4.3.0 | 1 / 40 | |
| 4.2.3 | 1 / 39 | |
| 4.2.2 | 1 / 39 | |
| 4.2.1 | 1 / 39 | |
| 4.2.0 | 1 / 37 | |
| 4.1.0 | 2 / 24 | |
| 4.0.4 | 2 / 24 | |
| 4.0.3 | 2 / 24 | |
| 4.0.2 | 2 / 24 | |
| 4.0.1 | 2 / 24 | |
| 4.0.0 | 2 / 24 | |
| 3.0.2 | 0 / 16 | |
| 3.0.1 | 1 / 23 | |
| 3.0.0 | 0 / 16 | |
| 2.0.8 | 0 / 16 | |
| 2.0.7 | 0 / 16 | |
| 2.0.6 | 0 / 16 | |
| 2.0.5 | 0 / 16 | |
| 2.0.4 | 0 / 16 | |
| 2.0.3 | 0 / 16 | |
| 2.0.2 | 0 / 16 | |
| 2.0.1 | 0 / 16 | |
| 2.0.0 | 0 / 16 | |
| 1.1.4 | 0 / 12 | |
| 7.0.0-alpha.2 | 0 / 34 |
v7.3.1
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.3.0
2 findings
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
INFO
Publisher changed: dbx-node → GitHub Actions (on 2026-06-17)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2026-06-17. This could indicate a legitimate maintainer transition or an account compromise.