libsignal
1
Versions
—
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
mayfieldpurpshell
Keywords
signalwhispersystemscrypto
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:child-process-import | AI (semgrep): child_process usage is in Gruntfile.js (dev build tooling only), not runtime code. Standard for native Node.js crypto modules that require compilation steps. | ai | |
| semgrep | semgrep:child-process-exec | AI (semgrep): child_process.exec() is in Gruntfile.js build script, not runtime. Typical for native addon build orchestration; not a runtime threat. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 encode/decode is fundamental to Signal Protocol session key serialization. All instances are legitimate cryptographic data handling, not payload obfuscation. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 2.0.1 | 1 / 3 |
v2.0.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.