@peculiar/asn1-schema — Greenflagged

Decorators for ASN.1 schemas building

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

rmhriskmicroshineyury.strozhevskypeculiarventuresapilgukdonskovworldthirteen

Keywords

asnasn1schemaserializeparsedecoratorder

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from personal account to GitHub Actions CI/CD; SLSA provenance confirms legitimate publish pipeline.	ai	2026/05/27
provenance	missing-githead	AI (provenance): GitHub Actions publish flow omits gitHead; SLSA provenance compensates.	ai	2026/05/27
publish-pattern	dormant-publish	AI (publish-pattern): Established package with infrequent releases; 235-day gap is normal for stable libraries.	ai	2026/05/27
dependencies	unvetted-dep:pvtsutils	AI (dependencies): pvtsutils is a core PeculiarVentures utility dependency present across all versions of this package; stable false positive for this package.	ai	2026/04/23
dependencies	unvetted-dep:asn1js	AI (dependencies): asn1js is a core PeculiarVentures dependency that has been present across all versions of this package; stable false positive for this package.	ai	2026/04/23
dependencies	unvetted-dep:@types/asn1js	AI (dependencies): @types/asn1js is a legitimate TypeScript type definitions package for asn1js, appropriate for this TypeScript-based ASN.1 schema library.	ai	2026/04/23
phantom-deps	phantom-dep:@types/asn1js	AI (phantom-deps): @types/asn1js is a TypeScript type definition package; it is loaded by convention via TypeScript's type resolution, not direct imports. This is expected and stable for this package.	ai	2026/04/23
provenance	no-provenance	AI (provenance): PeculiarVentures packages consistently lack Sigstore provenance; this is a known gap for this publisher, not a risk indicator.	ai	2026/04/21

Versions (showing 45 of 45)

Version	Deps	Published
2.7.0	3 / 0	2026-05-01
2.6.0	3 / 0	2025-11-16
2.5.0	3 / 0	2025-09-08
2.4.0	3 / 0	2025-07-16
2.3.15	3 / 0	2024-12-23
2.3.13	3 / 0	2024-08-01
2.3.8	3 / 0	2023-10-17
2.3.6	3 / 0	2023-03-13
2.3.3	3 / 0	2022-11-08
2.3.0	3 / 0	2022-08-04
2.2.0	3 / 0	2022-06-24
2.1.9	3 / 0	2022-06-13
2.1.8	3 / 0	2022-05-19
2.1.7	3 / 0	2022-05-16
2.1.6	3 / 0	2022-05-12
2.1.5	4 / 0	2022-05-12
2.1.0	4 / 0	2022-03-18
2.0.44	4 / 0	2021-11-10
2.0.38	4 / 0	2021-08-11
2.0.37	4 / 0	2021-07-21
2.0.36	4 / 0	2021-05-31
2.0.32	4 / 0	2021-04-28
2.0.29	4 / 0	2021-04-21
2.0.27	4 / 0	2020-12-02
2.0.26	4 / 0	2020-11-18
2.0.25	4 / 0	2020-11-03
2.0.23	4 / 0	2020-10-07
2.0.17	4 / 0	2020-08-25
2.0.13	4 / 0	2020-08-10
2.0.12	4 / 0	2020-07-30
2.0.11	4 / 0	2020-07-30
2.0.8	4 / 0	2020-07-15
2.0.7	4 / 0	2020-07-14
2.0.5	4 / 0	2020-06-01
2.0.4	4 / 0	2020-06-01
2.0.3	4 / 0	2020-05-08
2.0.1	3 / 0	2020-05-06
1.1.2	2 / 8	2020-04-11
1.1.1	2 / 8	2020-04-11
1.1.0	2 / 8	2020-04-11
1.0.5	2 / 8	2020-03-15
1.0.4	2 / 8	2020-03-15
1.0.3	2 / 7	2019-03-20
1.0.2	2 / 9	2019-02-05
1.0.1	2 / 9	2018-11-26

v2.7.0

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH Publisher changed: microshine → GitHub Actions (on 2026-05-01) provenance

This version was published by a different npm account than previous versions on 2026-05-01. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.