All @datadog/datadog-ci-plugin-gate versions

@datadog/[email protected] rejected Risk: 25 Apache-2.0 2025-12-16

@datadog/datadog-ci-plugin-gate @5.0.0

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

Apache-2.0

License

Install Scripts

Dependencies

Dev Dependencies

15.4 KB

Package Size

2025-12-16

Published

Datadog CI plugin for `gate` commands

Maintainers

datadog

Keywords

datadogdatadog-ciplugin

Dependencies (4)

Package	Constraint	Registry Status
uuid	^9.0.0	auto_approved
axios	^1.12.1	auto_approved
chalk	3.0.0	auto_approved
@types/uuid	^9.0.2	No greenflagged match

Transitive Dependency Tree

36 transitive deps max depth 6

├─ @types/uuid ^9.0.2

├─ axios ^1.12.1 → 1.16.1

├─ chalk 3.0.0 → 3.0.0

├─ uuid ^9.0.0 → 9.0.1

├─ ansi-styles ^4.1.0 → 4.3.0

├─ follow-redirects ^1.16.0 → 1.16.0

├─ form-data ^4.0.5 → 4.0.5

├─ https-proxy-agent ^5.0.1 → 5.0.1

├─ proxy-from-env ^2.1.0 → 2.1.0

├─ supports-color ^7.1.0 → 7.2.0

├─ agent-base 6 → 6.0.2

├─ asynckit ^0.4.0

├─ color-convert ^2.0.1

├─ combined-stream ^1.0.8 → 1.0.8

├─ debug 4 → 4.4.3

├─ es-set-tostringtag ^2.1.0 → 2.1.0

├─ has-flag ^4.0.0 → 4.0.0

├─ hasown ^2.0.2 → 2.0.4

├─ mime-types ^2.1.12 → 2.1.35

├─ debug 4 → 4.4.3

├─ delayed-stream ~1.0.0 → 1.0.0

├─ es-errors ^1.3.0 → 1.3.0

├─ function-bind ^1.1.2 → 1.1.2

├─ get-intrinsic ^1.2.6 → 1.3.1

├─ has-tostringtag ^1.0.2 → 1.0.2

├─ hasown ^2.0.2 → 2.0.4

├─ mime-db 1.52.0

├─ ms ^2.1.3 → 2.1.3

├─ async-function ^1.0.0

├─ async-generator-function ^1.0.0 → 1.0.0

├─ call-bind-apply-helpers ^1.0.2 → 1.0.2

├─ es-define-property ^1.0.1 → 1.0.1

├─ es-errors ^1.3.0 → 1.3.0

├─ es-object-atoms ^1.1.1 → 1.1.2

├─ function-bind ^1.1.2 → 1.1.2

├─ generator-function ^2.0.0 → 2.0.1

├─ get-proto ^1.0.1

├─ gopd ^1.2.0 → 1.2.0

├─ has-symbols ^1.1.0 → 1.1.0

├─ has-symbols ^1.0.3 → 1.1.0

├─ hasown ^2.0.2 → 2.0.4

├─ math-intrinsics ^1.1.0 → 1.1.0

├─ ms ^2.1.3 → 2.1.3

├─ es-errors ^1.3.0 → 1.3.0

├─ function-bind ^1.1.2 → 1.1.2

Changes from v4.1.1

No metadata changes detected.

File Changes

0 added 0 removed 4 modified size delta: +.9 KB

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`regressed-provenance`	provenance	reject	AI	AI (provenance): Provenance regression is a disqualifying signal for this package; prior versions consistently had attestations.

SAST Findings (2)

HIGH Provenance attestation missing — previous versions had it provenance

This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.

INFO Publisher changed: datadog → GitHub Actions (on 2025-12-16) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-16. This could indicate a legitimate maintainer transition or an account compromise.

Review Summary

Risk score: 25. Findings: 1 high (+25), 2 info (+0).

Commit: b00a24f900ff Browse source

Published to npm: 2025-12-16