← Home

node-libcurl

npm Repository Homepage
4
Versions
License
Yes
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

jonathancardoso

Keywords

node-curlcurllibcurlnode-libcurlaxiosrequest

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern dormant-publish AI (publish-pattern): Established native binding with SLSA provenance; long dormancy followed by CI-published release with clean diff is not indicative of takeover. ai
install-scripts install-script:install AI (install-scripts): Standard node-pre-gyp install with fallback-to-build; canonical pattern for native addons. ai
install-scripts install-script:postinstall AI (install-scripts): Postinstall is a documented post-build step for this native binding package. ai
semgrep semgrep:child-process-import AI (semgrep): child_process used in build/codegen scripts (build-constants.js); expected for native addon tooling. ai
install-scripts install-script:preinstall AI (install-scripts): vcpkg-setup.js is a documented build dependency setup step for this native binding. ai
phantom-deps phantom-dep:node-addon-api AI (phantom-deps): node-addon-api is referenced in binding.gyp config, not imported in JS; standard for native addons. ai
phantom-deps phantom-dep:@mapbox/node-pre-gyp AI (phantom-deps): node-pre-gyp is invoked via CLI in install script, not imported; standard native addon pattern. ai
phantom-deps phantom-dep:node-gyp AI (phantom-deps): node-gyp is a known implicit build dependency for native addons; not directly imported in JS. ai

Versions (showing 4 of 4)

Version Deps Published
5.1.0 7 / 40
5.0.2 7 / 40
5.0.1 7 / 40
5.0.0 7 / 40

v5.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.2

4 findings
HIGH Package has 'preinstall' script install-scripts

Script: node scripts/vcpkg-setup.js

HIGH Package has 'postinstall' script install-scripts

Script: node scripts/postinstall

HIGH Package has 'install' script install-scripts

Script: node-pre-gyp install --fallback-to-build

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.