simdle-native
libsimdle JavaScript bindings for Node.js
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:b4a | AI (dependencies): b4a is a well-known Holepunch buffer utility; stable false positive for this package. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): simdle-native is a native addon package (addon:true) that legitimately bundles prebuilt platform binaries in prebuilds/; this is the standard Holepunch/Bare distribution pattern. | ai |
v1.3.9
2 findingsPackage contains compiled binaries that could be backdoors: • prebuilds/android-arm/simdle-native.bare • prebuilds/android-arm64/simdle-native.bare • prebuilds/android-ia32/simdle-native.bare • prebuilds/android-x64/simdle-native.bare • prebuilds/darwin-arm64/simdle-native.bare • prebuilds/darwin-x64/simdle-native.bare • prebuilds/ios-arm64-simulator/simdle-native.bare • prebuilds/ios-arm64/simdle-native.bare • prebuilds/ios-x64-simulator/simdle-native.bare • prebuilds/linux-arm64/simdle-native.bare ... and 13 more
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.