← Home

pbf

7
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

mapbox-npm-01mapbox-npm-02mapbox-npm-07mapbox-npm-03mapbox-npm-04mapbox-npm-09mapbox-npm-05mapbox-npm-06mapbox-npm-08mapbox-npm-advanced-actionsmapbox-npm-cimapbox-npmmapbox-adminmapbox-machine-usermbx-npm-ci-stagingmbx-npm-ci-productionmbx-npm-01-productionmbx-npm-02-productionmbx-npm-03-productionmbx-npm-04-productionmbx-npm-05-productionmbx-npm-06-productionmbx-npm-07-productionmbx-npm-08-productionmbx-npm-09-productionmbx-npm-02-stagingmbx-npm-advanced-actions-stagingmbx-npm-advanced-actions-production

Keywords

protocolbufferpbfprotobufbinaryformatserializationencoderdecoder

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:resolve-protobuf-schema AI (phantom-deps): Declared dep referenced in config, not source import; stable FP for this package. ai
typosquat typosquat.levenshtein:pg AI (typosquat): pbf is a well-established Mapbox Protocol Buffer library; the name similarity to 'pg' is coincidental and these serve entirely different purposes. ai
semgrep semgrep:new-function-constructor AI (semgrep): new Function() in compile.js is used to dynamically compile protobuf schemas — a standard, documented pattern for this type of code-generation library. ai

Versions (showing 7 of 7)

Version Deps Published
5.1.2 1 / 8
5.1.1 1 / 8
5.1.0 1 / 8
5.0.0 1 / 8
4.0.2 1 / 8
4.0.1 1 / 9
4.0.0 1 / 9

v5.1.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.1.1

2 findings
HIGH Publisher changed: mbx-npm-07-production → GitHub Actions (on 2026-07-08) provenance

This version was published by a different npm account than previous versions on 2026-07-08. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.1.0

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: mbx-npm-08-production → mbx-npm-07-production (on 2026-05-29, known maintainer) provenance

This version was published by a different npm account (mbx-npm-07-production) than the most recent previously approved version (mbx-npm-08-production) on 2026-05-29, but mbx-npm-07-production is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v5.0.0

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: mbx-npm-06-production → mbx-npm-08-production (on 2026-05-26, known maintainer) provenance

This version was published by a different npm account (mbx-npm-08-production) than the most recent previously approved version (mbx-npm-06-production) on 2026-05-26, but mbx-npm-08-production is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v4.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.