@peculiar/asn1-cms — Greenflagged

ASN.1 schema of `Cryptographic Message Syntax (CMS)` (RFC5652)

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

rmhriskmicroshineyury.strozhevskypeculiarventuresapilgukdonskovworldthirteen

Keywords

asnasn1cmspkcs7cryptographyrfc5652

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from personal account to GitHub Actions CI/CD; SLSA attestation confirms legitimate publish pipeline.	ai	2026/05/27
provenance	missing-githead	AI (provenance): Expected when publishing via GitHub Actions; SLSA provenance compensates.	ai	2026/05/27
bogus-package	bogus-package	AI (bogus-package): Inflated semver is expected for a monorepo package versioned in sync with siblings; short README is typical for a focused ASN.1 schema utility. Not indicative of spam or malicious intent.	ai	2026/04/21
phantom-deps	phantom-dep:asn1js	AI (phantom-deps): asn1js is a declared runtime dependency used in build/type config; phantom-dep false positive for TypeScript monorepo packages.	ai	2026/04/21

Versions (showing 56 of 56)

Version	Deps	Published
2.7.0	5 / 0	2026-05-01
2.6.1	5 / 0	2026-02-12
2.6.0	5 / 0	2025-11-16
2.5.0	5 / 0	2025-09-08
2.4.0	5 / 0	2025-07-16
2.3.15	5 / 0	2024-12-23
2.3.13	5 / 0	2024-08-01
2.3.12	5 / 0	2024-08-01
2.3.8	5 / 0	2023-10-17
2.3.6	5 / 0	2023-03-13
2.3.5	5 / 0	2023-03-13
2.3.4	5 / 0	2022-11-08
2.3.3	5 / 0	2022-11-08
2.3.2	5 / 0	2022-10-06
2.3.1	5 / 0	2022-09-11
2.3.0	5 / 0	2022-08-04
2.2.0	5 / 0	2022-06-24
2.1.9	5 / 0	2022-06-13
2.1.8	5 / 0	2022-05-19
2.1.7	5 / 0	2022-05-16
2.1.6	5 / 0	2022-05-12
2.1.5	5 / 0	2022-05-12
2.1.4	5 / 0	2022-04-15
2.1.3	5 / 0	2022-04-13
2.1.0	5 / 0	2022-03-18
2.0.44	5 / 0	2021-11-10
2.0.38	5 / 0	2021-08-11
2.0.37	5 / 0	2021-07-21
2.0.36	5 / 0	2021-05-31
2.0.33	5 / 0	2021-05-10
2.0.32	5 / 0	2021-04-28
2.0.29	5 / 0	2021-04-21
2.0.27	5 / 0	2020-12-02
2.0.26	5 / 0	2020-11-18
2.0.25	5 / 0	2020-11-03
2.0.24	5 / 0	2020-10-16
2.0.23	5 / 0	2020-10-07
2.0.22	5 / 0	2020-09-07
2.0.21	5 / 0	2020-09-04
2.0.20	5 / 0	2020-09-01
2.0.19	5 / 0	2020-08-27
2.0.18	4 / 0	2020-08-27
2.0.17	4 / 0	2020-08-25
2.0.14	4 / 0	2020-08-10
2.0.13	4 / 0	2020-08-10
2.0.12	4 / 0	2020-07-30
2.0.11	4 / 0	2020-07-30
2.0.10	4 / 0	2020-07-15
2.0.9	4 / 0	2020-07-15
2.0.8	4 / 0	2020-07-15
2.0.7	4 / 0	2020-07-14
2.0.5	4 / 0	2020-06-01
2.0.4	4 / 0	2020-06-01
2.0.3	4 / 0	2020-05-08
2.0.2	4 / 0	2020-05-07
2.0.1	4 / 0	2020-05-06

v2.7.0

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH Publisher changed: microshine → GitHub Actions (on 2026-05-01) provenance

This version was published by a different npm account than previous versions on 2026-05-01. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.