← Home

native-or-another

npm Repository Homepage

Guaranteed way for getting a Promise. Always native Promise if available, otherwise looks for common promise libraries and loads which is installed. Allows registering custom Promise implementation in node < 0.12 versions

8
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

tunnckocore

Keywords

anyany-promiseautoloadbluebirdcommoncommon-promiseecmaecmascriptes2015es6es2017loadload-promiseloadingnativenative-promisepromisepromisesregisterregister-promiseregistrationspecification

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance no-provenance AI (provenance): Mature package (4196 days old) published before Sigstore provenance was standard practice; low risk for this well-established package. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require is the core mechanism of this package — it iterates a hardcoded list of known Promise libraries to find one that's installed. Not user-controlled; benign by design. ai

Versions (showing 8 of 8)

Version Deps Published
5.0.1 4 / 10
5.0.0 4 / 10
4.0.0 1 / 5
3.0.2 2 / 3
3.0.1 2 / 3
3.0.0 2 / 2
2.0.0 1 / 4
1.0.0 0 / 6

v5.0.1

2 findings
HIGH Unclaimed maintainer email domain: tunnckocore email-domain

Maintainer email '@tunnckoCore' uses domain 'tunnckocore' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.0

2 findings
HIGH Unclaimed maintainer email domain: tunnckocore email-domain

Maintainer email '@tunnckoCore' uses domain 'tunnckocore' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.0

2 findings
HIGH Unclaimed maintainer email domain: tunnckocore email-domain

Maintainer email '@tunnckoCore' uses domain 'tunnckocore' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.