Chainguard Libraries for JavaScript are drop-in replacements for your npm packages, built from source in a SLSA L3-compliant environment so the next malware incident isn't your problem.
Die weltweit führenden Unternehmen vertrauen Chainguard.
System scale
Access thousands of JavaScript packages that replace what you get from npm — with more being added every week
Proactive malware prevention
Stay protected from malicious attacks often inserted during the build and distribution stages of package creation.
Verification by default
Every library is built in a secure, SLSA L3 build system with full provenance and signed SBOMs to prove supply chain integrity.
System scale
Access thousands of JavaScript packages that replace what you get from npm, with more being added every week.
Expertise and experience
The leading open source minds driving the industry forward, delivering new innovations for developers.
JavaScript packages should always match the source
Today, using npm is a leap of faith. You trust that your packages match their source code. Chainguard builds from source with signed SBOMs and provenance, guaranteeing your dependencies are immune to build-time and distribution-stage malware injections.
Step One
Locate source code
Step Two
Send to Chainguard Factory
Step Three
Use our deep ecosystem expertise to build package in SLSA L3-compliant env.
Step Four
Test built tarballs and report success/failure
Step Five
Publish tarballs
Step Six
Publish automate provenance
Stay protected from npm malware
Since 99.7% of npm malware has no verifiable source code, building from source means you would have been immune from these incidents because Chainguard would have never built the malicious packages in the first place.
chalk, debug, and more — Sep. 2025
Phished maintainer credentials were used to publish malicious versions of packages with 2.6B weekly downloads. Chainguard would not have built them as no verifiable source code existed.
Sha1-Hulud — Nov. 2025, and Shai-Hulud — Sep. 2025
Two worms deployed via stolen bot credentials exposed thousands of developer secrets and led to Trust Wallet losing $8.5M in assets. Chainguard Libraries for JavaScript doesn't build libraries that use pre-install scripts.
Solana Web3.js — Dec. 2024
A compromised maintainer account published a backdoor that drained $160K in crypto assets. Chainguard would not have built it since there was no verifiable source code.
is — Sep. 2025
Phished maintainer credentials backdoored a package with 2.8M weekly downloads before npm removed it hours later. Since only credentials were compromised and the malware did not have source code, Chainguard wouldn’t have built it.
Every package is built from source or governed by policy
Thousands of drop-in, safe JavaScript dependencies
Access the web development stack that you need, such as TypeScript, Node.js, and React, along with thousands of other dependencies to build your node app.
Signed, sealed, and dependable
Every version comes built with full provenance and signed SBOMs, so you have indisputable proof that your dependencies came from the SLSA L3-compliant Chainguard Factory, not a machine from a vulnerable maintainer account.
Drops right into your environment
All of our language ecosystems drop right into your current tools and workflows—meaning no set up time, no change management, and no catastrophic malware risk.
Entdecken Sie den Rest der Chainguard-Produktpalette
Verwandte Ressourcen