drivelist
1
Versions
—
License
Yes
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
balena.io
Keywords
diskcrossplatformphysicaldrivelist
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:install | AI (install-scripts): Standard native addon install pattern (prebuild-install || node-gyp rebuild); stable for this package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used to invoke OS disk-listing tools (lsblk etc.); core functionality of this package. | ai | |
| phantom-deps | phantom-dep:prebuild-install | AI (phantom-deps): prebuild-install is a known implicit binary dependency used in the install script. | ai | |
| phantom-deps | phantom-dep:node-addon-api | AI (phantom-deps): node-addon-api is a build-time native addon dependency referenced in binding config, not JS imports. | ai | |
| phantom-deps | phantom-dep:debug | AI (phantom-deps): debug is commonly used via indirect require patterns; stable false positive for this package. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 12.0.2 | 4 / 14 |