@actions/io — Greenflagged

Actions io lib

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

chrispatbryanmacfarlanethboopkonradpabjancschleidenbdehamerjoshmgross

Keywords

githubactionsio

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	missing-githead	AI (provenance): GitHub Actions toolkit moved to automated CI/CD publishing with SLSA provenance, which supersedes gitHead as a supply chain signal.	ai	2026/04/21
provenance	publisher-changed	AI (provenance): Legitimate transition from individual (jclem) to GitHub Actions org bot account for automated publishing of the official toolkit.	ai	2026/04/21
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers are known GitHub Actions team members; normal team rotation for the official actions/toolkit package.	ai	2026/04/21
maintainer-change	maintainer-removed	AI (maintainer-change): Removed maintainers are former GitHub employees; normal team turnover for the official actions/toolkit package.	ai	2026/04/21
semgrep	semgrep:child-process-import	AI (semgrep): @actions/io is an official GitHub Actions I/O utility that legitimately uses child_process to invoke system tools (cp, mv, which, etc.). This is expected and documented behavior.	ai	2026/04/21
typosquat	typosquat.levenshtein:zod	AI (typosquat): @actions/io is GitHub's official scoped toolkit package; Levenshtein comparison to 'zod' is a stable false positive.	ai	2026/04/21
typosquat	typosquat.levenshtein:koa	AI (typosquat): @actions/io is GitHub's official scoped toolkit package; Levenshtein comparison to short unscoped names like 'koa' is a stable false positive for this package.	ai	2026/04/21
typosquat	typosquat.levenshtein:pino	AI (typosquat): @actions/io is GitHub's official scoped toolkit package; Levenshtein comparison to 'pino' is a stable false positive.	ai	2026/04/21
typosquat	typosquat.levenshtein:got	AI (typosquat): @actions/io is GitHub's official scoped toolkit package; Levenshtein comparison to 'got' is a stable false positive.	ai	2026/04/21
typosquat	typosquat.levenshtein:pg	AI (typosquat): @actions/io is GitHub's official scoped toolkit package; Levenshtein comparison to 'pg' is a stable false positive.	ai	2026/04/21
typosquat	typosquat.levenshtein:qs	AI (typosquat): @actions/io is GitHub's official scoped toolkit package; Levenshtein comparison to 'qs' is a stable false positive.	ai	2026/04/21
typosquat	typosquat.levenshtein:joi	AI (typosquat): @actions/io is GitHub's official scoped toolkit package; Levenshtein comparison to 'joi' is a stable false positive.	ai	2026/04/21

Versions (showing 11 of 11)

Version	Deps	Published
3.0.2	0 / 0	2026-01-28
3.0.1	0 / 0	2026-01-28
3.0.0	0 / 0	2026-01-28
2.0.0	0 / 0	2025-10-31
1.1.3	0 / 0	2023-03-15
1.1.2	0 / 0	2022-03-17
1.1.1	0 / 0	2021-06-07
1.1.0	0 / 0	2021-04-02
1.0.2	0 / 0	2020-01-10
1.0.1	0 / 0	2019-09-05
1.0.0	0 / 0	2019-08-07