web-tree-sitter
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | bundled-binaries | AI (npm-metadata): WASM parser ships compiled .wasm by design; core function. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Added debug builds, source maps, and WASM files; expected growth. | ai | |
| source-diff | net-exec-file:tree-sitter.cjs | AI (source-diff): Emscripten glue: fetch loads .wasm, eval for ASM_CONSTS — standard pattern. | ai | |
| source-diff | net-exec-file:debug/tree-sitter.js | AI (source-diff): Emscripten glue: fetch loads .wasm, eval for ASM_CONSTS — standard pattern. | ai | |
| source-diff | obfuscated-file:debug/tree-sitter.cjs | AI (source-diff): Emscripten-generated WASM glue code; bundled output is expected for this package. | ai | |
| source-diff | obfuscated-file:lib/tree-sitter.cjs | AI (source-diff): Emscripten-generated WASM glue code; bundled output is expected for this package. | ai | |
| source-diff | obfuscated-file:debug/tree-sitter.js | AI (source-diff): esbuild-bundled output of TypeScript sources; expected for this package. | ai | |
| source-diff | net-exec-file:debug/tree-sitter.cjs | AI (source-diff): Emscripten glue: fetch loads .wasm, eval for ASM_CONSTS — standard pattern. | ai | |
| source-diff | net-exec-file:lib/tree-sitter.cjs | AI (source-diff): Emscripten glue: fetch loads .wasm, eval for ASM_CONSTS — standard pattern. | ai | |
| semgrep | semgrep:toplevel-fetch | AI (semgrep): fetch() is used to load .wasm binary files from URLs in browser environments — this is the core documented functionality of a WebAssembly binding library, not telemetry or exfiltration. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() is used in Emscripten's addEmAsm() to reconstruct inline assembly functions from the compiled WASM module's own constant table — standard Emscripten runtime pattern, not a supply-chain risk. | ai |
Versions (showing 33 of 33)
| Version | Deps | Published |
|---|---|---|
| 0.26.11 | 0 / 12 | |
| 0.26.10 | 0 / 12 | |
| 0.26.9 | 0 / 12 | |
| 0.26.8 | 0 / 12 | |
| 0.26.7 | 0 / 12 | |
| 0.26.6 | 0 / 12 | |
| 0.26.5 | 0 / 12 | |
| 0.26.4 | 0 / 12 | |
| 0.26.3 | 0 / 12 | |
| 0.26.0 | 0 / 12 | |
| 0.25.10 | 0 / 11 | |
| 0.25.9 | 0 / 11 | |
| 0.25.8 | 0 / 12 | |
| 0.25.7 | 0 / 12 | |
| 0.25.6 | 0 / 12 | |
| 0.25.5 | 0 / 12 | |
| 0.25.4 | 0 / 12 | |
| 0.25.3 | 0 / 12 | |
| 0.25.2 | 0 / 12 | |
| 0.25.1 | 0 / 12 | |
| 0.25.0 | 0 / 12 | |
| 0.24.7 | 0 / 5 | |
| 0.24.6 | 0 / 5 | |
| 0.24.5 | 0 / 5 | |
| 0.24.4 | 0 / 5 | |
| 0.24.3 | 0 / 5 | |
| 0.24.2 | 0 / 5 | |
| 0.24.1 | 0 / 5 | |
| 0.24.0 | 0 / 5 | |
| 0.23.2 | 0 / 5 | |
| 0.23.1 | 0 / 5 | |
| 0.23.0 | 0 / 5 | |
| 0.22.6 | 0 / 6 |
v0.26.11
2 findingsPackage contains compiled binaries that could be backdoors: • debug/web-tree-sitter.wasm • web-tree-sitter.wasm
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.26.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.26.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.25.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.3
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.25.2
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.25.1
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.25.0
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.24.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.23.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.23.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.23.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.22.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.