+120
| # Security | ||
| ## Reporting vulnerabilities | ||
| If you believe you have found a security issue in **node-tpm2**, please report it responsibly: | ||
| - **Email:** [support@hardproof.app](mailto:support@hardproof.app) (package maintainer contact from npm) | ||
| - **GitHub:** [Open a private security advisory](https://github.com/stacks0x/tpm2/security/advisories/new) on this repository | ||
| Do not open public issues for undisclosed vulnerabilities. | ||
| --- | ||
| ## Supply chain transparency (Socket.dev) | ||
| This package is analyzed by [Socket.dev](https://socket.dev/npm/package/node-tpm2). As of the initial transparency pass, typical scores were: | ||
| | Dimension | Score | | ||
| |-----------|------:| | ||
| | Quality | 100 | | ||
| | Maintenance | 94 | | ||
| | License | 100 | | ||
| | Vulnerability | 100 | | ||
| | **Supply Chain Security** | **71** | | ||
| **Supply Chain 71 is expected for a prebuilt native Node binding**, not evidence of a defect in this library. Static analysis flags structural patterns in the napi-rs loader and native-addon layout. Each alert is accounted for below. | ||
| Scores change over time on Socket's dashboard — this document explains **why the flags exist**, not how to chase a perfect number. | ||
| --- | ||
| ## Socket alert accounting | ||
| All locations below refer to the **published npm package**. The loader file `native.cjs` is **auto-generated by [napi-rs](https://napi.rs)** at build time — do not hand-edit it; regenerate with `npm run build`. | ||
| ### Shell access (amber) — `child_process` in `native.cjs` | ||
| **What:** `isMuslFromChildProcess()` calls `execSync('ldd --version')` when filesystem and `process.report` musl/glibc detection both fail on Linux. | ||
| **Why it exists:** Choose the correct prebuilt binary (`*-gnu.node` vs `*-musl.node`) on ambiguous Linux environments. | ||
| **Risk:** Low. The command string is **hardcoded**. No user input, package name, or network data reaches this call. It runs at **module load** on Linux only, as a last-resort fallback after non-shell checks. | ||
| **Mitigation path:** Track upstream [napi-rs](https://github.com/napi-rs/napi-rs) loader changes; regenerate when a future release removes or replaces this fallback. We are already on current `@napi-rs/cli`. | ||
| --- | ||
| ### Dynamic require (informational) — `native.cjs` | ||
| **What:** The loader `require()`s the platform-specific prebuilt `.node` binary (and optional platform packages such as `node-tpm2-linux-x64-gnu`) based on `process.platform` / `process.arch` / musl detection. | ||
| **Why it exists:** Standard pattern for npm packages that ship prebuilt native addons via optional dependencies. | ||
| **Risk:** None inherent. The require target is chosen from a fixed platform matrix, not from caller-controlled strings (except the documented override below). | ||
| **Related:** `NAPI_RS_NATIVE_LIBRARY_PATH` allows loading a specific `.node` path for development/debugging — a documented napi-rs knob, not runtime API surface of this library. | ||
| --- | ||
| ### Filesystem access (informational) — `native.cjs` (+ library behavior) | ||
| **Loader (`native.cjs`):** | ||
| - Reads `/usr/bin/ldd` (text) for musl detection (`isMuslFromFilesystem`). | ||
| - Reads each optional binding's `package.json` for version consistency when `NAPI_RS_ENFORCE_VERSION_CHECK` is enabled. | ||
| **Library (Rust / JS):** Attestation and key APIs may read or write **AK blob files** when the **application** passes paths or persists exported blobs — that is documented product behavior, not covert file access. | ||
| **Risk:** None inherent in the loader paths above. | ||
| --- | ||
| ### Environment variable access (informational) — `native.cjs` | ||
| **What:** The loader reads napi-rs environment variables: | ||
| | Variable | Purpose | | ||
| |----------|---------| | ||
| | `NAPI_RS_NATIVE_LIBRARY_PATH` | Override path to a `.node` binary (dev/debug) | | ||
| | `NAPI_RS_FORCE_WASI` | Force or error on WASI binding load | | ||
| | `NAPI_RS_ENFORCE_VERSION_CHECK` | Enforce optional-deps version match (default on) | | ||
| **Risk:** None inherent. These are standard napi-rs configuration knobs documented upstream. | ||
| --- | ||
| ### URL strings (informational) — `native.cjs` | ||
| **What:** Error messages include URL strings (e.g. a link to an npm optional-dependencies bug report when platform packages fail to load). | ||
| **Risk:** None. Strings appear in error text only; the loader does not fetch URLs or open network connections. | ||
| --- | ||
| ### AI-detected code anomaly (informational) — package-wide | ||
| **What:** Socket's model flags atypical patterns in native bindings: low-level TPM command byte marshalling, Windows PCP/NCrypt integration, and Rust→NAPI exports. | ||
| **Risk:** None cited to a specific behavior. This alert reflects that the package is **not pure JavaScript**, not that a particular line is malicious. | ||
| --- | ||
| ## What this package does at runtime (trust boundary) | ||
| - **Linux:** Submits TPM 2.0 commands via `/dev/tpmrm0` (TBS-style raw commands). | ||
| - **Windows:** Submits TPM commands via TBS; attestation key persistence uses NCrypt Platform Crypto Provider (PCP). | ||
| - **No network I/O** in the library itself. | ||
| - **No shell** in application/Rust code — the only shell-related code is the napi-rs loader fallback above. | ||
| Consumers remain responsible for how they store AK blobs, NV indices, and sealed data in their own applications. | ||
| --- | ||
| ## Dependency surface | ||
| Runtime npm dependencies: **none** (only optional platform binding packages published alongside `node-tpm2`). | ||
| Build-time: Rust crates (compiled into the `.node` binary), `@napi-rs/cli` (dev only, not published to consumers). | ||
| See [README.md](./README.md) and [docs/api-reference.md](./docs/api-reference.md) for the public API and platform matrix. |
+1
-1
@@ -12,3 +12,3 @@ # API roadmap | ||
| ## Current state (0.0.5) | ||
| ## Current state (0.0.6) | ||
@@ -15,0 +15,0 @@ **Shipped and validated on real Windows 11 hardware (Intel TPM, non-virtual):** attestation (user + machine provision, cross-user quote, SYSTEM provision), `random`, `keys` (sign + RSA decrypt), `pcr.read` / `pcr.extend` (admin on Windows), `nv` (read/write/define/undefine/readPublic), `seal` / `unseal`. |
+52
-52
@@ -80,4 +80,4 @@ // prettier-ignore | ||
| const bindingPackageVersion = require('node-tpm2-android-arm64/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -97,4 +97,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-android-arm-eabi/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -119,4 +119,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-win32-x64-gnu/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -136,4 +136,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-windows-x64-msvc/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -154,4 +154,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-win32-ia32-msvc/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -171,4 +171,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-windows-arm64-msvc/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -191,4 +191,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-darwin-universal/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -208,4 +208,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-darwin-x64/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -225,4 +225,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-darwin-arm64/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -246,4 +246,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-freebsd-x64/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -263,4 +263,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-freebsd-arm64/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -285,4 +285,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-linux-x64-musl/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -302,4 +302,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-linux-x64-gnu/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -321,4 +321,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-linux-arm64-musl/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -338,4 +338,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-linux-arm64-gnu/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -357,4 +357,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-linux-arm-musleabihf/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -374,4 +374,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-linux-arm-gnueabihf/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -393,4 +393,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-linux-loong64-musl/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -410,4 +410,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-linux-loong64-gnu/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -429,4 +429,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-linux-riscv64-musl/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -446,4 +446,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-linux-riscv64-gnu/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -464,4 +464,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-linux-ppc64-gnu/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -481,4 +481,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-linux-s390x-gnu/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -502,4 +502,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-openharmony-arm64/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -519,4 +519,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-openharmony-x64/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -536,4 +536,4 @@ return binding | ||
| const bindingPackageVersion = require('node-tpm2-openharmony-arm/package.json').version | ||
| if (bindingPackageVersion !== '0.0.5' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.5 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| if (bindingPackageVersion !== '0.0.6' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') { | ||
| throw new Error(`Native binding package version mismatch, expected 0.0.6 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`) | ||
| } | ||
@@ -540,0 +540,0 @@ return binding |
+11
-10
| { | ||
| "name": "node-tpm2", | ||
| "version": "0.0.5", | ||
| "version": "0.0.6", | ||
| "description": "TPM 2.0 attestation for Node.js — prebuilt native bindings, PCR quotes, and fleet-ready Windows PCP keys. No tpm2-tools.", | ||
@@ -47,2 +47,3 @@ "type": "module", | ||
| "docs/roadmap.md", | ||
| "SECURITY.md", | ||
| "examples" | ||
@@ -86,12 +87,12 @@ ], | ||
| "optionalDependencies": { | ||
| "node-tpm2-windows-x64-msvc": "0.0.5", | ||
| "node-tpm2-windows-arm64-msvc": "0.0.5", | ||
| "node-tpm2-linux-x64-gnu": "0.0.5", | ||
| "node-tpm2-linux-arm64-gnu": "0.0.5", | ||
| "node-tpm2-linux-x64-musl": "0.0.5", | ||
| "node-tpm2-linux-arm64-musl": "0.0.5", | ||
| "node-tpm2-darwin-arm64": "0.0.5", | ||
| "node-tpm2-win32-x64-msvc": "0.0.5", | ||
| "node-tpm2-win32-arm64-msvc": "0.0.5" | ||
| "node-tpm2-windows-x64-msvc": "0.0.6", | ||
| "node-tpm2-windows-arm64-msvc": "0.0.6", | ||
| "node-tpm2-linux-x64-gnu": "0.0.6", | ||
| "node-tpm2-linux-arm64-gnu": "0.0.6", | ||
| "node-tpm2-linux-x64-musl": "0.0.6", | ||
| "node-tpm2-linux-arm64-musl": "0.0.6", | ||
| "node-tpm2-darwin-arm64": "0.0.6", | ||
| "node-tpm2-win32-x64-msvc": "0.0.6", | ||
| "node-tpm2-win32-arm64-msvc": "0.0.6" | ||
| } | ||
| } |
+14
-2
| # node-tpm2 | ||
| [](https://socket.dev/npm/package/node-tpm2) | ||
| Native TPM 2.0 for Node.js. Prebuilt binaries — no `tpm2-tools`, no `tpm2-tss`, no Rust at install time. | ||
@@ -21,3 +23,3 @@ | ||
| **Stable** (`0.0.5`). Full public API implemented and validated on real Windows 11 + Intel TPM. [API reference](./docs/api-reference.md) · [Roadmap](./docs/roadmap.md). | ||
| **Stable** (`0.0.6`). Full public API implemented and validated on real Windows 11 + Intel TPM. [API reference](./docs/api-reference.md) · [Roadmap](./docs/roadmap.md). | ||
@@ -464,2 +466,12 @@ --- | ||
| ## Supply chain transparency | ||
| This package is a **native TPM binding** (prebuilt `.node` + napi-rs loader). [Socket.dev](https://socket.dev/npm/package/node-tpm2) scores it highly on quality, license, and vulnerability, with a lower **Supply Chain Security** score (~71) that reflects **structural native-module patterns**, not a known defect. | ||
| Typical flags: dynamic `require` of platform binaries, filesystem reads for libc detection, env vars (`NAPI_RS_*`), and a **hardcoded** `ldd --version` shell fallback in the generated loader (Linux only, last resort). Each is documented in [SECURITY.md](./SECURITY.md). | ||
| We publish the Socket score and the full alert-by-alert accounting voluntarily — see [SECURITY.md](./SECURITY.md) for details and how to report security issues. | ||
| --- | ||
| ## Contributing | ||
@@ -475,3 +487,3 @@ | ||
| Docs: [getting-started.md](./docs/getting-started.md) · [windows-pcp.md](./docs/windows-pcp.md) · [roadmap.md](./docs/roadmap.md) | ||
| Docs: [getting-started.md](./docs/getting-started.md) · [windows-pcp.md](./docs/windows-pcp.md) · [roadmap.md](./docs/roadmap.md) · [SECURITY.md](./SECURITY.md) | ||
@@ -478,0 +490,0 @@ Low-level Rust validation: `cargo run --no-default-features --features probe-bin --bin tbs-probe --` (repo only, not published to npm). |
AI-detected potential code anomaly
Supply chain riskAI has identified unusual behaviors that may pose a security risk.
AI-detected potential code anomaly
Supply chain riskAI has identified unusual behaviors that may pose a security risk.
150485
4.52%15
7.14%494
2.49%