@boost/pipeline
Pipe an input through a series of routines and tasks to produce an output, or simply, run logic in a series of stages.
47
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
milesj
Keywords
boostpipelineroutinetaskworkwork unitparallelserial
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Trusted long-standing publisher (milesj) with 456 approved packages; missing gitHead likely reflects a publish environment change, not malicious activity. No other risk signals present. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Major version bump (v2→v5) with ESM migration explains large file count increase; consistent with package restructuring, not injected code. | ai | |
| dependencies | unvetted-dep:@boost/internal | AI (dependencies): @boost/internal is an intra-monorepo dependency maintained by the same publisher (milesj) as @boost/pipeline; it is not a third-party risk. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): The new dependency is @boost/internal, part of the same @boost monorepo by the same trusted publisher. Not a third-party supply chain risk. | ai | |
| dependencies | unvetted-dep:@boost/translate | AI (dependencies): @boost/translate is a sibling package in the same @boost monorepo by the same trusted publisher (milesj). No security concern. | ai | |
| phantom-deps | phantom-dep:@boost/translate | AI (phantom-deps): Same-org scoped sibling package; declared as dependency and used within the @boost ecosystem. Not a phantom dependency risk. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance adoption (published ~2019). Absence of provenance is expected for packages of this age. | ai | |
| dependencies | unvetted-dep:execa | AI (dependencies): execa is a well-known, widely-used process execution library with no malicious history. Stable false positive for this package. | ai |
Versions (showing 47 of 47)
| Version | Deps | Published |
|---|---|---|
| 5.0.0 | 8 / 0 | |
| 4.0.1 | 8 / 0 | |
| 4.0.0 | 8 / 0 | |
| 3.2.2 | 8 / 0 | |
| 3.2.1 | 8 / 0 | |
| 3.2.0 | 8 / 0 | |
| 3.1.1 | 8 / 0 | |
| 3.1.0 | 8 / 0 | |
| 3.0.0 | 8 / 0 | |
| 2.2.8 | 8 / 0 | |
| 2.2.7 | 8 / 0 | |
| 2.2.6 | 8 / 0 | |
| 2.2.5 | 8 / 0 | |
| 2.2.4 | 8 / 0 | |
| 2.2.3 | 8 / 0 | |
| 2.2.2 | 8 / 0 | |
| 2.2.1 | 8 / 0 | |
| 2.2.0 | 8 / 0 | |
| 2.1.8 | 8 / 0 | |
| 2.1.7 | 8 / 0 | |
| 2.1.6 | 8 / 0 | |
| 2.1.5 | 8 / 0 | |
| 2.1.4 | 8 / 0 | |
| 2.1.3 | 8 / 0 | |
| 2.1.2 | 8 / 0 | |
| 2.1.1 | 8 / 0 | |
| 2.1.0 | 8 / 0 | |
| 2.0.1 | 8 / 0 | |
| 2.0.0 | 8 / 0 | |
| 1.5.3 | 8 / 0 | |
| 1.5.2 | 8 / 0 | |
| 1.5.1 | 8 / 0 | |
| 1.5.0 | 8 / 0 | |
| 1.4.0 | 8 / 0 | |
| 1.3.5 | 8 / 0 | |
| 1.3.4 | 8 / 0 | |
| 1.3.3 | 8 / 0 | |
| 1.3.2 | 8 / 0 | |
| 1.3.1 | 8 / 0 | |
| 1.3.0 | 8 / 0 | |
| 1.2.4 | 8 / 0 | |
| 1.2.3 | 8 / 0 | |
| 1.2.2 | 8 / 2 | |
| 1.2.1 | 8 / 2 | |
| 1.2.0 | 8 / 2 | |
| 1.1.0 | 8 / 2 | |
| 1.0.0 | 7 / 2 |