@forinda/kickjs-db — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

forinda

Keywords

kickjsnodejstypescriptormcode-first-ormkysely-wrappersql-buildermigrationsquery-buildermulti-dialectpostgresmysqlsqlite

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/src-Dpz7lQYB.mjs	AI (source-diff): Standard tsdown bundle output with license header and readable identifiers; not obfuscated.	ai	2026/06/12
source-diff	obfuscated-file:dist/cli.mjs	AI (source-diff): Standard minified ESM bundle output from tsdown; readable identifiers and license header confirm legitimate build artifact.	ai	2026/06/11
source-diff	obfuscated-file:dist/src-lL141oWK.mjs	AI (source-diff): Standard minified ESM bundle; imports from kysely and node builtins confirm legitimate ORM build output.	ai	2026/06/11
source-diff	obfuscated-file:dist/index-B1r7mcA1.d.mts	AI (source-diff): TypeScript declaration file with long lines due to bundled type definitions; not obfuscated.	ai	2026/06/11
provenance	publisher-changed	AI (provenance): Package uses GitHub Actions for publishing with SLSA attestation; CI publisher is the expected norm for this package.	ai	2026/05/05

Versions (showing 15 of 15)

Version	Deps	Published
6.1.1	4 / 11	2026-06-10
6.1.0	4 / 11	2026-06-10
6.0.0	1 / 8	2026-05-30
5.9.1	1 / 8	2026-05-21
5.9.0	1 / 8	2026-05-13
5.8.0	1 / 8	2026-05-13
5.7.0	1 / 8	2026-05-13
5.6.0	1 / 8	2026-05-09
5.5.0	1 / 8	2026-05-09
5.4.1	1 / 8	2026-05-05
5.3.0	1 / 8	2026-05-05
5.2.2	1 / 8	2026-05-04
5.2.1	1 / 8	2026-05-04
5.2.0	1 / 8	2026-04-30
5.1.0	1 / 7	2026-04-28

v6.1.1

4 findings

HIGH New obfuscated file: dist/cli.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/src-Dpz7lQYB.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index-B1r7mcA1.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.1.0

4 findings

HIGH New obfuscated file: dist/cli.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/src-lL141oWK.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index-B1r7mcA1.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.9.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.9.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.8.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.7.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.6.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.5.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.4.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.2.2

2 findings

HIGH Publisher changed: forinda → GitHub Actions (on 2026-05-04) provenance

This version was published by a different npm account than previous versions on 2026-05-04. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.2.1

2 findings

HIGH Publisher changed: forinda → GitHub Actions (on 2026-05-04) provenance

This version was published by a different npm account than previous versions on 2026-05-04. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.