← Home

ffi-napi

npm Repository Homepage

A foreign function interface (FFI) for Node.js, N-API style

6
Versions
MIT
License
Yes
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

addaleax

Keywords

foreignfunctioninterfaceffilibffibindingcnapistable

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:node-gyp-build AI (dependencies): node-gyp-build is the standard utility for native addon prebuilt binary selection; its use is expected and appropriate for this native FFI binding package. ai
install-scripts install-script:install AI (install-scripts): ffi-napi is a native addon; node-gyp-build as install script is the standard prebuildify pattern for selecting prebuilt binaries. Stable for this package. ai
npm-metadata bundled-binaries AI (npm-metadata): Prebuilt .node binaries are the expected output of the prebuildify CI workflow documented in package.json. Exactly 5 platform prebuilds are validated by the prepack script. ai
semgrep semgrep:new-function-constructor AI (semgrep): The new Function() call is a constructor guard pattern (calling its own constructor), not dynamic code compilation from external input. False positive for this package. ai
phantom-deps phantom-dep:node-addon-api AI (phantom-deps): node-addon-api is a native build dependency referenced in binding.gyp, not a JS import. Normal pattern for native addons. ai
phantom-deps phantom-dep:get-uv-event-loop-napi-h AI (phantom-deps): get-uv-event-loop-napi-h is a native build dependency referenced in binding.gyp, not a JS import. Normal pattern for native addons. ai

Versions (showing 6 of 6)

Version Deps Published
4.0.3 6 / 6
4.0.2 6 / 6
4.0.1 6 / 6
3.1.0 6 / 6
3.0.1 6 / 6
3.0.0 6 / 6

v4.0.3

3 findings
HIGH Package has 'install' script install-scripts

Script: node-gyp-build

HIGH Bundled binary files (5) npm-metadata

Package contains compiled binaries that could be backdoors: • prebuilds/linux-arm64/node.napi.uv1.armv8.node • prebuilds/darwin-x64/node.napi.uv1.node • prebuilds/linux-x64/node.napi.uv1.node • prebuilds/win32-ia32/node.napi.uv1.node • prebuilds/win32-x64/node.napi.uv1.node

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.