fs-ext-extra-prebuilt
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | bundled-binaries | AI (npm-metadata): Package explicitly ships prebuilt .node binaries for multiple platforms/runtimes — this is its core purpose. | ai | |
| install-scripts | install-script:install | AI (install-scripts): Native addon prebuilt-binary loader; install.js selects the correct .node binary for the platform — standard pattern. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used in install.js to fall back to node-gyp build if no prebuilt matches; expected for native addon installers. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads the resolved prebuilt .node binary path; not arbitrary user input. | ai | |
| phantom-deps | phantom-dep:nan | AI (phantom-deps): nan is a C++ addon helper used in binding.gyp/fs-ext.cc, not imported via JS require; stable false positive for this native addon. | ai |
v2.2.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.0
2 findingsPackage contains compiled binaries that could be backdoors: • binaries/fs-ext-darwin-arm64-electron-38.2.2.node • binaries/fs-ext-darwin-arm64-node-20.0.0.node • binaries/fs-ext-darwin-arm64-node-21.0.0.node • binaries/fs-ext-darwin-arm64-node-22.0.0.node • binaries/fs-ext-darwin-arm64-node-23.0.0.node • binaries/fs-ext-darwin-arm64-node-24.0.0.node • binaries/fs-ext-darwin-arm64-node-25.0.0.node • binaries/fs-ext-darwin-x64-electron-38.2.2.node • binaries/fs-ext-darwin-x64-node-20.0.0.node • binaries/fs-ext-darwin-x64-node-21.0.0.node ... and 32 more
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.