@google-cloud/nodejs-repo-tools

Tools used to maintain and test Node.js repositories in the GoogleCloudPlaftorm organization.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

google-wombot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
bogus-package	bogus-package	AI (bogus-package): Mass-production signal is expected: jdobry maintains many Google Cloud Node.js tooling packages with templated names. This is a legitimate Google Cloud developer tool, not spam.	ai	2026/04/24
phantom-deps	phantom-dep:semistandard	AI (phantom-deps): semistandard is a linting tool referenced in package.json config; phantom-dep pattern is normal for dev tools.	ai	2026/04/24
dependencies	unvetted-dep:string	AI (dependencies): [email protected] is a well-known utility library pinned to a specific version; no advisory flagged. Stable false positive for this package.	ai	2026/04/24
dependencies	unvetted-dep:handlebars	AI (dependencies): [email protected] is a well-known templating library; no OSV advisory flagged for this version in this context. Stable false positive for this package.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): semver is a canonical, widely-trusted npm package; its addition to a Google Cloud build tooling package is benign and expected.	ai	2026/04/24
semgrep	semgrep:child-process-spawn	AI (semgrep): Spawning processes is the primary purpose of this repo-tools CLI; not malicious.	ai	2026/04/23
semgrep	semgrep:child-process-exec	AI (semgrep): exec() used in runAsync helper for developer tooling; expected and documented behavior for this package.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require in build_pack.js is used to load build pack configuration files — a legitimate plugin/config loading pattern for this tooling package.	ai	2026/04/23
maintainer-change	maintainer-takeover	AI (maintainer-change): google-wombot is Google's official automation account for GCP Node.js packages; the transition from google-node-team to google-wombot is a documented Google-wide publishing migration, not a hijack.	ai	2026/04/23
phantom-deps	phantom-dep:nyc	AI (phantom-deps): nyc is declared in dependencies and used in config sections; phantom-dep finding is a false positive.	ai	2026/04/23
provenance	no-provenance	AI (provenance): Package published in 2019, predating Sigstore provenance availability; not a meaningful risk signal for this era.	ai	2026/04/23
phantom-deps	phantom-dep:ava	AI (phantom-deps): ava is declared in dependencies and used in config sections; phantom-dep finding is a false positive.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): google-wombot is Google's official bot account; addition is part of Google's automated publishing migration.	ai	2026/04/23
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of individual Google maintainers in favor of google-wombot bot is consistent with Google's GCP Node.js publishing automation migration.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): Publisher change from google-node-team to google-wombot reflects Google's migration to automated publishing; not an account compromise.	ai	2026/04/23
semgrep	semgrep:child-process-import	AI (semgrep): This is a CLI/developer tooling package that explicitly runs test commands and system processes; child_process usage is core expected functionality.	ai	2026/04/23

Versions (showing 54 of 54)

Version	Deps	Published
3.3.0	14 / 8	2019-05-14
2.3.3	14 / 8	2018-07-27
2.3.0	14 / 8	2018-04-07
2.2.0	13 / 8	2018-01-26
2.0.9	13 / 3	2017-10-13
2.0.8	13 / 3	2017-10-12
2.0.7	13 / 3	2017-10-03
1.4.17	11 / 0	2017-08-14
1.4.16	11 / 0	2017-08-03
1.4.15	11 / 0	2017-06-01
1.4.14	11 / 0	2017-05-16
1.4.13	11 / 0	2017-05-09
1.4.12	11 / 0	2017-05-04
1.4.11	11 / 0	2017-05-03
1.4.10	11 / 0	2017-05-03
1.4.9	11 / 0	2017-05-03
1.4.8	11 / 0	2017-05-03
1.4.7	11 / 0	2017-05-01
1.4.6	11 / 0	2017-05-01
1.4.5	11 / 0	2017-05-01
1.4.4	11 / 0	2017-04-29
1.4.3	11 / 0	2017-04-29
1.4.2	11 / 0	2017-04-29
1.4.1	11 / 0	2017-04-29
1.4.0	11 / 0	2017-04-29
1.3.5	13 / 0	2017-04-28
1.3.4	13 / 0	2017-04-28
1.3.3	13 / 0	2017-04-28
1.3.2	13 / 0	2017-04-21
1.3.1	13 / 0	2017-04-21
1.3.0	13 / 0	2017-04-21
1.2.1	13 / 1	2017-04-21
1.2.0	13 / 1	2017-04-21
1.1.11	13 / 1	2017-04-20
1.1.10	13 / 1	2017-04-19
1.1.9	13 / 1	2017-04-19
1.1.8	13 / 1	2017-04-19
1.1.7	13 / 1	2017-04-19
1.1.6	13 / 1	2017-04-19
1.1.5	13 / 1	2017-04-19
1.1.4	13 / 1	2017-04-19
1.1.3	13 / 1	2017-04-19
1.1.2	13 / 1	2017-04-19
1.1.1	13 / 1	2017-04-19
1.1.0	13 / 1	2017-04-18
1.0.8	4 / 1	2017-04-17
1.0.7	4 / 1	2017-04-17
1.0.6	4 / 1	2017-04-17
1.0.5	4 / 1	2017-04-17
1.0.4	4 / 1	2017-04-15
1.0.3	4 / 1	2017-04-14
1.0.2	4 / 1	2017-04-14
1.0.1	4 / 1	2017-04-14
1.0.0	4 / 1	2017-04-14

v3.3.0

3 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (fenster, google-node-team, justinbeckwith, ofrobots) were replaced by new maintainers (google-wombot). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: google-node-team → google-wombot (on 2019-05-14) provenance

This version was published by a different npm account than previous versions on 2019-05-14. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.