@oclif/command
oclif base command
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Established oclif org package; missing gitHead reflects a publish environment change, not a security concern. Stable false positive for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): oclif-bot removal is part of the same Salesforce org transition; not indicative of a hostile takeover. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @oclif/config and @oclif/plugin-help are first-party oclif packages from the same org; natural dependencies for this base command package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are named Salesforce engineers and salesforce-releases account — consistent with Salesforce's stewardship of the oclif project. Legitimate org transition. | ai | |
| provenance | publisher-changed | AI (provenance): The dickeyxxx → oclif-bot transition occurred in Feb 2018 and represents a legitimate move to an org automation account. 100+ subsequent versions confirm this is the official publisher for the oclif org. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads the package's own package.json to check Node version — entirely benign and stable for this package. | ai | |
| typosquat | typosquat.levenshtein:commander | AI (typosquat): @oclif/command is a legitimate Salesforce/oclif framework package, not a typosquat of commander. The scoped namespace, age, and publisher track record confirm this is a false positive. | ai |
Versions (showing 100 of 106)
| Version | Deps | Published |
|---|---|---|
| 1.8.36 | 6 / 17 | |
| 1.8.35 | 6 / 17 | |
| 1.8.34 | 6 / 17 | |
| 1.8.33 | 6 / 17 | |
| 1.8.32 | 6 / 17 | |
| 1.8.31 | 6 / 17 | |
| 1.8.30 | 6 / 17 | |
| 1.8.29 | 6 / 17 | |
| 1.8.28 | 6 / 17 | |
| 1.8.27 | 6 / 17 | |
| 1.8.26 | 6 / 17 | |
| 1.8.25 | 6 / 17 | |
| 1.8.24 | 6 / 17 | |
| 1.8.23 | 6 / 17 | |
| 1.8.22 | 6 / 17 | |
| 1.8.21 | 6 / 17 | |
| 1.8.20 | 6 / 17 | |
| 1.8.19 | 6 / 17 | |
| 1.8.18 | 6 / 17 | |
| 1.8.16 | 6 / 17 | |
| 1.8.15 | 6 / 17 | |
| 1.8.14 | 6 / 17 | |
| 1.8.13 | 6 / 17 | |
| 1.8.12 | 6 / 17 | |
| 1.8.11 | 6 / 17 | |
| 1.8.10 | 6 / 17 | |
| 1.8.9 | 6 / 17 | |
| 1.8.8 | 6 / 17 | |
| 1.8.7 | 6 / 17 | |
| 1.8.6 | 6 / 17 | |
| 1.8.5 | 6 / 17 | |
| 1.8.4 | 6 / 17 | |
| 1.8.3 | 6 / 17 | |
| 1.8.2 | 6 / 17 | |
| 1.8.1 | 6 / 17 | |
| 1.8.0 | 6 / 17 | |
| 1.7.0 | 6 / 17 | |
| 1.6.1 | 6 / 17 | |
| 1.6.0 | 6 / 17 | |
| 1.5.20 | 6 / 16 | |
| 1.5.19 | 6 / 15 | |
| 1.5.18 | 6 / 15 | |
| 1.5.17 | 4 / 17 | |
| 1.5.16 | 4 / 17 | |
| 1.5.15 | 4 / 17 | |
| 1.5.14 | 4 / 17 | |
| 1.5.13 | 4 / 17 | |
| 1.5.12 | 4 / 17 | |
| 1.5.11 | 4 / 17 | |
| 1.5.10 | 4 / 17 | |
| 1.5.8 | 4 / 17 | |
| 1.5.6 | 4 / 16 | |
| 1.5.5 | 4 / 16 | |
| 1.5.4 | 4 / 16 | |
| 1.5.3 | 4 / 16 | |
| 1.5.2 | 4 / 16 | |
| 1.5.1 | 4 / 16 | |
| 1.5.0 | 4 / 16 | |
| 1.4.36 | 4 / 16 | |
| 1.4.35 | 4 / 16 | |
| 1.4.34 | 4 / 16 | |
| 1.4.33 | 4 / 16 | |
| 1.4.32 | 4 / 16 | |
| 1.4.31 | 4 / 16 | |
| 1.4.30 | 4 / 16 | |
| 1.4.29 | 4 / 16 | |
| 1.4.28 | 4 / 16 | |
| 1.4.27 | 4 / 16 | |
| 1.4.26 | 4 / 15 | |
| 1.4.25 | 4 / 15 | |
| 1.4.24 | 4 / 15 | |
| 1.4.23 | 4 / 15 | |
| 1.4.22 | 4 / 15 | |
| 1.4.21 | 4 / 15 | |
| 1.4.20 | 4 / 15 | |
| 1.4.19 | 4 / 14 | |
| 1.4.18 | 4 / 14 | |
| 1.4.17 | 4 / 14 | |
| 1.4.16 | 4 / 14 | |
| 1.4.15 | 4 / 14 | |
| 1.4.14 | 4 / 14 | |
| 1.4.13 | 4 / 14 | |
| 1.4.12 | 4 / 14 | |
| 1.4.11 | 4 / 14 | |
| 1.4.10 | 4 / 14 | |
| 1.4.9 | 4 / 14 | |
| 1.4.8 | 4 / 14 | |
| 1.4.7 | 4 / 14 | |
| 1.4.6 | 4 / 15 | |
| 1.4.5 | 4 / 15 | |
| 1.4.4 | 4 / 15 | |
| 1.4.3 | 3 / 15 | |
| 1.4.2 | 2 / 16 | |
| 1.4.1 | 2 / 16 | |
| 1.4.0 | 2 / 16 | |
| 1.3.3 | 2 / 16 | |
| 1.3.2 | 2 / 16 | |
| 1.3.1 | 2 / 16 | |
| 1.3.0 | 2 / 16 | |
| 1.2.25 | 1 / 15 |
v1.8.36
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.35
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.34
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.33
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.32
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.31
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.30
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.10
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-12-08. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.9
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-12-06. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.8
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-12-06. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.7
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-12-01. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.6
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-29. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.5
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-29. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.4
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-23. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-18. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-18. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-18. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: chadian.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-06-29. This could indicate a legitimate maintainer transition or an account compromise.
v1.6.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: chadian.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-05-01. This could indicate a legitimate maintainer transition or an account compromise.
v1.5.20
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.19
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.18
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.17
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.16
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.15
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.14
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.13
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.12
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: elbandito.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-03-15. This could indicate a legitimate maintainer transition or an account compromise.
v1.5.11
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: elbandito.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-02-27. This could indicate a legitimate maintainer transition or an account compromise.
v1.5.10
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: dickeyxxx.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-02-11. This could indicate a legitimate maintainer transition or an account compromise.
v1.5.8
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: dickeyxxx.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-12-18. This could indicate a legitimate maintainer transition or an account compromise.
v1.5.6
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: dickeyxxx.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-11-14. This could indicate a legitimate maintainer transition or an account compromise.
v1.5.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-08-17. This could indicate a legitimate maintainer transition or an account compromise.
v1.4.36
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-07-25. This could indicate a legitimate maintainer transition or an account compromise.
v1.4.35
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-07-19. This could indicate a legitimate maintainer transition or an account compromise.
v1.4.34
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.33
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.32
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.31
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.30
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.26
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: dickeyxxx.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.25
2 findingsThis version was published by a different npm account than previous versions on 2018-05-13. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.24
2 findingsThis version was published by a different npm account than previous versions on 2018-05-13. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.23
2 findingsThis version was published by a different npm account than previous versions on 2018-05-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.22
2 findingsThis version was published by a different npm account than previous versions on 2018-05-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.21
2 findingsThis version was published by a different npm account than previous versions on 2018-05-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.20
2 findingsThis version was published by a different npm account than previous versions on 2018-05-03. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.19
2 findingsThis version was published by a different npm account than previous versions on 2018-05-02. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.18
2 findingsThis version was published by a different npm account than previous versions on 2018-05-01. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.17
2 findingsThis version was published by a different npm account than previous versions on 2018-04-30. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.16
2 findingsThis version was published by a different npm account than previous versions on 2018-04-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.15
2 findingsThis version was published by a different npm account than previous versions on 2018-04-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.14
2 findingsThis version was published by a different npm account than previous versions on 2018-04-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.13
2 findingsThis version was published by a different npm account than previous versions on 2018-04-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.12
2 findingsThis version was published by a different npm account than previous versions on 2018-04-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.11
2 findingsThis version was published by a different npm account than previous versions on 2018-04-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.10
2 findingsThis version was published by a different npm account than previous versions on 2018-04-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.9
2 findingsThis version was published by a different npm account than previous versions on 2018-04-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.8
2 findingsThis version was published by a different npm account than previous versions on 2018-04-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.7
2 findingsThis version was published by a different npm account than previous versions on 2018-04-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.6
2 findingsThis version was published by a different npm account than previous versions on 2018-03-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.5
2 findingsThis version was published by a different npm account than previous versions on 2018-03-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.4
2 findingsThis version was published by a different npm account than previous versions on 2018-03-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.3
2 findingsThis version was published by a different npm account than previous versions on 2018-03-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.2
2 findingsThis version was published by a different npm account than previous versions on 2018-02-28. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.1
2 findingsThis version was published by a different npm account than previous versions on 2018-02-28. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
2 findingsThis version was published by a different npm account than previous versions on 2018-02-28. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.3
2 findingsThis version was published by a different npm account than previous versions on 2018-02-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.2
2 findingsThis version was published by a different npm account than previous versions on 2018-02-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.1
2 findingsThis version was published by a different npm account than previous versions on 2018-02-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
2 findingsThis version was published by a different npm account than previous versions on 2018-02-15. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.25
2 findingsThis version was published by a different npm account than previous versions on 2018-02-14. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.