← Home

koffi

npm Repository Homepage
4
Versions
License
Yes
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

koromix

Keywords

foreignfunctioninterfaceffibindingcnapi

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
install-scripts install-script:install AI (install-scripts): Install script invokes cnoke.js with --prebuild flag to select prebuilt native binaries. Standard pattern for native addon packages; stable across all koffi versions. ai
npm-metadata bundled-binaries AI (npm-metadata): Koffi ships prebuilt .node binaries for 18 platform/arch combinations as its documented distribution model. These are the legitimate FFI native addon artifacts. ai
semgrep semgrep:eval-usage AI (semgrep): eval('require')(filename) is a standard bundler-bypass pattern used to dynamically load platform-specific .node binaries at runtime. Not an arbitrary code execution risk in this context. ai
semgrep semgrep:child-process-import AI (semgrep): child_process is used in the cnoke build tool (builder.js) to invoke CMake/compiler toolchains. Expected and necessary for a native addon build system. ai

Versions (showing 4 of 4)

Version Deps Published
3.0.0 0 / 0
2.16.2 0 / 0
2.16.1 0 / 0
2.16.0 0 / 0

v3.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.16.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.16.1

3 findings
HIGH Package has 'install' script install-scripts

Script: node src/cnoke/cnoke.js -P . -D src/koffi --prebuild

HIGH Bundled binary files (18) npm-metadata

Package contains compiled binaries that could be backdoors: • build/koffi/darwin_arm64/koffi.node • build/koffi/darwin_x64/koffi.node • build/koffi/freebsd_arm64/koffi.node • build/koffi/freebsd_ia32/koffi.node • build/koffi/freebsd_x64/koffi.node • build/koffi/linux_arm64/koffi.node • build/koffi/linux_armhf/koffi.node • build/koffi/linux_ia32/koffi.node • build/koffi/linux_loong64/koffi.node • build/koffi/linux_riscv64d/koffi.node ... and 8 more

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.16.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.