← Home

web-tree-sitter

33
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

ahlincmaxbrunsfeldamaanqtclemrewinfreyrobrixpatrickthomsondcreager1847

Keywords

incrementalparsingtree-sitterwasm

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
npm-metadata bundled-binaries AI (npm-metadata): WASM parser ships compiled .wasm by design; core function. ai
source-diff source-size-tripled AI (source-diff): Added debug builds, source maps, and WASM files; expected growth. ai
source-diff net-exec-file:tree-sitter.cjs AI (source-diff): Emscripten glue: fetch loads .wasm, eval for ASM_CONSTS — standard pattern. ai
source-diff net-exec-file:debug/tree-sitter.js AI (source-diff): Emscripten glue: fetch loads .wasm, eval for ASM_CONSTS — standard pattern. ai
source-diff obfuscated-file:debug/tree-sitter.cjs AI (source-diff): Emscripten-generated WASM glue code; bundled output is expected for this package. ai
source-diff obfuscated-file:lib/tree-sitter.cjs AI (source-diff): Emscripten-generated WASM glue code; bundled output is expected for this package. ai
source-diff obfuscated-file:debug/tree-sitter.js AI (source-diff): esbuild-bundled output of TypeScript sources; expected for this package. ai
source-diff net-exec-file:debug/tree-sitter.cjs AI (source-diff): Emscripten glue: fetch loads .wasm, eval for ASM_CONSTS — standard pattern. ai
source-diff net-exec-file:lib/tree-sitter.cjs AI (source-diff): Emscripten glue: fetch loads .wasm, eval for ASM_CONSTS — standard pattern. ai
semgrep semgrep:toplevel-fetch AI (semgrep): fetch() is used to load .wasm binary files from URLs in browser environments — this is the core documented functionality of a WebAssembly binding library, not telemetry or exfiltration. ai
semgrep semgrep:eval-usage AI (semgrep): eval() is used in Emscripten's addEmAsm() to reconstruct inline assembly functions from the compiled WASM module's own constant table — standard Emscripten runtime pattern, not a supply-chain risk. ai

Versions (showing 33 of 33)

Version Deps Published
0.26.11 0 / 12
0.26.10 0 / 12
0.26.9 0 / 12
0.26.8 0 / 12
0.26.7 0 / 12
0.26.6 0 / 12
0.26.5 0 / 12
0.26.4 0 / 12
0.26.3 0 / 12
0.26.0 0 / 12
0.25.10 0 / 11
0.25.9 0 / 11
0.25.8 0 / 12
0.25.7 0 / 12
0.25.6 0 / 12
0.25.5 0 / 12
0.25.4 0 / 12
0.25.3 0 / 12
0.25.2 0 / 12
0.25.1 0 / 12
0.25.0 0 / 12
0.24.7 0 / 5
0.24.6 0 / 5
0.24.5 0 / 5
0.24.4 0 / 5
0.24.3 0 / 5
0.24.2 0 / 5
0.24.1 0 / 5
0.24.0 0 / 5
0.23.2 0 / 5
0.23.1 0 / 5
0.23.0 0 / 5
0.22.6 0 / 6

v0.26.11

2 findings
HIGH Bundled binary files (2) npm-metadata

Package contains compiled binaries that could be backdoors: • debug/web-tree-sitter.wasm • web-tree-sitter.wasm

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.26.10

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.26.8

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.25.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.25.3

8 findings
HIGH New obfuscated file: debug/tree-sitter.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: debug/tree-sitter.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: lib/tree-sitter.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: lib/tree-sitter.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: tree-sitter.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: debug/tree-sitter.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: debug/tree-sitter.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.25.2

8 findings
HIGH New obfuscated file: debug/tree-sitter.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: debug/tree-sitter.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: lib/tree-sitter.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: lib/tree-sitter.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: tree-sitter.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: debug/tree-sitter.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: debug/tree-sitter.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.25.1

8 findings
HIGH New obfuscated file: debug/tree-sitter.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: debug/tree-sitter.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: lib/tree-sitter.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: lib/tree-sitter.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: tree-sitter.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: debug/tree-sitter.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: debug/tree-sitter.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.25.0

8 findings
HIGH New obfuscated file: debug/tree-sitter.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: debug/tree-sitter.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: lib/tree-sitter.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: lib/tree-sitter.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: tree-sitter.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: debug/tree-sitter.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: debug/tree-sitter.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.24.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.24.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.24.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.24.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.24.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.24.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.24.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.24.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.23.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.23.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.23.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.22.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.