@arkweid/lefthook
Simple git hooks manager
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Arkweid → envek (Evilmartians) is a documented, legitimate org transfer for the lefthook project. envek has a strong track record (25 approved, 0 rejected). | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Same legitimate org transfer; envek is the known new maintainer of lefthook under Evilmartians stewardship. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance standards; no provenance is expected for this era of publishing. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): postinstall selects the correct pre-bundled platform binary — standard pattern for cross-platform CLI tools distributed via npm. Stable for this package. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): Bundled binaries are the documented distribution mechanism for lefthook (a Go CLI tool). The set of binaries matches the expected OS/arch matrix exactly. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process.spawn is used to invoke the platform-specific lefthook binary — the expected wrapper pattern for a native CLI tool distributed via npm. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 0.7.7 | 0 / 0 | |
| 0.7.5 | 0 / 0 | |
| 0.7.1 | 0 / 0 | |
| 0.6.7 | 0 / 0 | |
| 0.6.5 | 0 / 0 | |
| 0.6.0 | 0 / 0 | |
| 0.3.3 | 0 / 0 | |
| 0.3.2 | 0 / 0 | |
| 0.3.1 | 0 / 0 | |
| 0.3.0 | 0 / 0 |
v0.7.7
3 findingsScript: node postinstall.js
Package contains compiled binaries that could be backdoors: • bin/lefthook_darwin_amd64/lefthook • bin/lefthook_darwin_arm64/lefthook • bin/lefthook_linux_386/lefthook • bin/lefthook_linux_amd64/lefthook • bin/lefthook_linux_arm64/lefthook • bin/lefthook_windows_386/lefthook.exe • bin/lefthook_windows_amd64/lefthook.exe
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.5
2 findingsThis version was published by a different npm account than previous versions on 2021-05-14. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.