msgpackr-extract
Node addon for string extraction for msgpackr
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): High-volume established native addon; dormancy followed by routine maintenance release is plausible for this package. | ai | |
| provenance | no-provenance | AI (provenance): Established package with 11.8M weekly downloads and long history; lack of Sigstore provenance is a minor gap, not a security risk for this well-known package. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is trivially small in absolute terms (72B→282B); reflects added build scripts for new platform targets, not injected payloads. Stable pattern for this native addon package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are platform-specific prebuilt binary packages under the @msgpackr-extract/ namespace — a standard native addon distribution pattern for this package. | ai | |
| phantom-deps | phantom-dep:@msgpackr-extract/msgpackr-extract-darwin-x64 | AI (phantom-deps): Platform-specific prebuilt binary package declared as optionalDependency; loaded via node-gyp-build-optional-packages, not direct require. Standard native addon pattern. | ai | |
| phantom-deps | phantom-dep:@msgpackr-extract/msgpackr-extract-darwin-arm64 | AI (phantom-deps): Platform-specific prebuilt binary package declared as optionalDependency; loaded via node-gyp-build-optional-packages, not direct require. Standard native addon pattern. | ai | |
| phantom-deps | phantom-dep:@msgpackr-extract/msgpackr-extract-linux-arm64 | AI (phantom-deps): Platform-specific prebuilt binary package declared as optionalDependency; loaded via node-gyp-build-optional-packages, not direct require. Standard native addon pattern. | ai | |
| phantom-deps | phantom-dep:@msgpackr-extract/msgpackr-extract-linux-arm | AI (phantom-deps): Platform-specific prebuilt binary package declared as optionalDependency; loaded via node-gyp-build-optional-packages, not direct require. Standard native addon pattern. | ai | |
| phantom-deps | phantom-dep:@msgpackr-extract/msgpackr-extract-linux-x64 | AI (phantom-deps): Platform-specific prebuilt binary package declared as optionalDependency; loaded via node-gyp-build-optional-packages, not direct require. Standard native addon pattern. | ai | |
| phantom-deps | phantom-dep:@msgpackr-extract/msgpackr-extract-win32-x64 | AI (phantom-deps): Platform-specific prebuilt binary package declared as optionalDependency; loaded via node-gyp-build-optional-packages, not direct require. Standard native addon pattern. | ai | |
| install-scripts | install-script:install | AI (install-scripts): node-gyp-build-optional-packages is the standard install mechanism for native addons with prebuilt binaries; stable for this package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process in bin/download-prebuilds.js is a CLI tool for fetching prebuilts, not run at install time; expected for native addon. | ai |
Versions (showing 44 of 44)
| Version | Deps | Published |
|---|---|---|
| 3.0.4 | 1 / 3 | |
| 3.0.3 | 1 / 3 | |
| 3.0.2 | 7 / 3 | |
| 3.0.1 | 7 / 3 | |
| 3.0.0 | 7 / 3 | |
| 2.2.0 | 7 / 3 | |
| 2.1.2 | 7 / 3 | |
| 2.1.1 | 7 / 3 | |
| 2.1.0 | 7 / 3 | |
| 2.0.2 | 7 / 2 | |
| 2.0.1 | 7 / 2 | |
| 2.0.0 | 7 / 2 | |
| 1.1.4 | 7 / 2 | |
| 1.1.3 | 7 / 2 | |
| 1.1.2 | 7 / 2 | |
| 1.1.1 | 7 / 2 | |
| 1.1.0 | 7 / 2 | |
| 1.0.16 | 2 / 2 | |
| 1.0.15 | 2 / 3 | |
| 1.0.14 | 2 / 2 | |
| 1.0.13 | 2 / 0 | |
| 1.0.12 | 2 / 0 | |
| 1.0.11 | 2 / 0 | |
| 1.0.10 | 2 / 0 | |
| 1.0.9 | 2 / 0 | |
| 1.0.8 | 2 / 0 | |
| 1.0.7 | 2 / 0 | |
| 1.0.6 | 2 / 0 | |
| 1.0.5 | 2 / 0 | |
| 1.0.4 | 2 / 0 | |
| 1.0.3 | 2 / 0 | |
| 1.0.2 | 2 / 0 | |
| 1.0.1 | 2 / 0 | |
| 1.0.0 | 2 / 0 | |
| 0.3.6 | 2 / 0 | |
| 0.3.5 | 2 / 0 | |
| 0.3.4 | 2 / 0 | |
| 0.3.3 | 2 / 0 | |
| 0.3.2 | 2 / 0 | |
| 0.3.1 | 2 / 0 | |
| 0.3.0 | 2 / 0 | |
| 0.2.0 | 2 / 0 | |
| 0.1.1 | 2 / 0 | |
| 0.1.0 | 2 / 0 |
v3.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.3
2 findingsScript: node-gyp-build-optional-packages
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.