@automattic/jetpack-boost-score-api
A package to get the Jetpack Boost score of a site
16
Versions
GPL-2.0-or-later
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
macbreyuliyanmjangdamatticbota8cbloweryehg_sgomestyxlasaroshaganejclovrencicsirbrilligchriszaraterobersongomesjohngodleyjehervedaledupreez-a8ct2dw4tluismulinariandrea-sdlelazzabifmfernandessirrealwwachihsuanmanzoorwanijkmsurdi-a8cnewspack-npmdsmartgkthai15bgrgicakrobertsreberski_a8cartpigmjuhaszkat3samsinbrunobastodhenridevmrmurphywpvip-botetobiesenalshakeroarthur791004diliritymehmoodaknatalia.vidalivan.ottingeranandnalyaarcangelinisretrofoxfredrikekelundchriskmndsoandregalgalatanovidiukangzj_mirka_aduthebuccelli
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher changed from matticbot to GitHub Actions as part of Automattic's CI/CD migration; SLSA provenance attestation confirms legitimate automated publishing. This is a stable, expected pattern for this package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Automattic is a large org with normal team turnover; maintainer additions/removals in their monorepo packages reflect legitimate organizational changes, not takeover risk. | ai | |
| source-diff | obfuscated-file:build/index.js | AI (source-diff): build/index.js is a standard webpack bundle output for this TypeScript package. Minified build artifacts are expected and consistent with the package's build tooling (webpack). Not malicious obfuscation. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer removals are consistent with normal Automattic team turnover; no evidence of malicious takeover in this well-established package. | ai | |
| dependencies | unvetted-dep:zod | AI (dependencies): zod is a widely-used, legitimate validation library; unvetted status does not reflect actual risk for this established package. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): Package ships a pre-built bundle; zod is a declared runtime dep used in build output, not directly imported in analyzed source. False positive for this build pattern. | ai | |
| phantom-deps | phantom-dep:@wordpress/i18n | AI (phantom-deps): Same build-output pattern — @wordpress/i18n is a legitimate Automattic dep bundled at build time, not directly imported in analyzed source. | ai | |
| bogus-package | bogus-package | AI (bogus-package): This is a legitimate Automattic sub-package of the Jetpack monorepo. README linking to the monorepo is expected; low-value signals are false positives for this package. | ai |