node-pty — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

tyriaralexr00microsoft1es

Keywords

ptyttyterminalpseudoterminalforkptyopenpty

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
install-scripts	install-script:postinstall	AI (install-scripts): node-pty's postinstall is a documented step for native addon setup; stable across all versions of this package.	ai	2026/04/25
install-scripts	install-script:install	AI (install-scripts): node-pty uses node-gyp to compile native bindings; install script is the canonical native addon build pattern.	ai	2026/04/25
npm-metadata	bundled-binaries	AI (npm-metadata): Bundled binaries (spawn-helper, conpty.dll, winpty.dll, OpenConsole.exe) are documented, expected components of node-pty's cross-platform PTY implementation.	ai	2026/04/25
semgrep	semgrep:child-process-import	AI (semgrep): child_process usage is in test files and is expected for a terminal emulation library's test suite.	ai	2026/04/25
semgrep	semgrep:child-process-spawn	AI (semgrep): cp.spawn in test files is expected for testing PTY/terminal behavior; not a malicious signal.	ai	2026/04/25
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require in utils.js loads platform-specific .node native addon files; standard pattern for native bindings.	ai	2026/04/25
phantom-deps	phantom-dep:node-addon-api	AI (phantom-deps): node-addon-api is a build-time dependency for native addons; phantom-dep detection is a false positive for this package type.	ai	2026/04/25

Versions (showing 1 of 1)

Version	Deps	Published
1.1.0	1 / 10	2025-12-22

v1.1.0

4 findings

HIGH Package has 'postinstall' script install-scripts

Script: node scripts/post-install.js

HIGH Package has 'install' script install-scripts

Script: node scripts/prebuild.js || node-gyp rebuild

HIGH Bundled binary files (22) npm-metadata

Package contains compiled binaries that could be backdoors: • prebuilds/darwin-arm64/spawn-helper • prebuilds/darwin-x64/spawn-helper • prebuilds/win32-arm64/conpty/conpty.dll • prebuilds/win32-x64/conpty/conpty.dll • third_party/conpty/1.23.251008001/win10-arm64/conpty.dll • third_party/conpty/1.23.251008001/win10-x64/conpty.dll • prebuilds/win32-arm64/winpty.dll • prebuilds/win32-x64/winpty.dll • prebuilds/win32-arm64/conpty/OpenConsole.exe • prebuilds/win32-x64/conpty/OpenConsole.exe ... and 12 more

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.