@fastify/csrf-protection
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): Fastify org regularly rotates maintainers; new maintainers are known Fastify contributors. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removed maintainers are prior Fastify org members; consistent with org-level rotation, not a takeover. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy reflects normal release cadence for a stable Fastify plugin, not suspicious activity. | ai | |
| dependencies | unvetted-dep:@fastify/csrf | AI (dependencies): First-party @fastify org dependency; expected and appropriate for this CSRF protection plugin. | ai |
v8.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (fdawgs) than the most recent previously approved version (eomm) on 2026-06-09, but fdawgs is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v7.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.