@peculiar/asn1-x509 — Greenflagged

ASN.1 schema of `Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile` (RFC5280)

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

rmhriskmicroshineyury.strozhevskypeculiarventuresapilgukdonskovworldthirteen

Keywords

asnasn1x509certificatecrlrfc5280

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from maintainer account to GitHub Actions CI/CD; SLSA provenance confirms legitimate publish.	ai	2026/05/27
provenance	missing-githead	AI (provenance): Expected when migrating to GitHub Actions publish; SLSA provenance compensates.	ai	2026/05/27
phantom-deps	phantom-dep:asn1js	AI (phantom-deps): asn1js is used transitively via @peculiar/asn1-schema; declared for version pinning.	ai	2026/05/27
source-diff	encoded-string-file:test/x509.ts	AI (source-diff): Base64-encoded X.509 certificates in test fixtures are expected for an ASN.1 X.509 parsing library.	ai	2026/04/23
bogus-package	bogus-package	AI (bogus-package): Inflated semver reflects migration from an established monorepo (PeculiarVentures/asn1-schema). Short README is a quality issue, not a security signal. Stable for this package.	ai	2026/04/21

Versions (showing 50 of 50)

Version	Deps	Published
2.7.0	4 / 0	2026-05-01
2.6.1	4 / 0	2026-02-12
2.6.0	4 / 0	2025-11-16
2.5.0	4 / 0	2025-09-08
2.4.0	4 / 0	2025-07-16
2.3.15	4 / 0	2024-12-23
2.3.13	5 / 0	2024-08-01
2.3.8	5 / 0	2023-10-17
2.3.6	5 / 0	2023-03-13
2.3.5	5 / 0	2023-03-13
2.3.4	5 / 0	2022-11-08
2.3.3	5 / 0	2022-11-08
2.3.2	5 / 0	2022-10-06
2.3.0	5 / 0	2022-08-04
2.2.0	5 / 0	2022-06-24
2.1.9	5 / 0	2022-06-13
2.1.8	5 / 0	2022-05-19
2.1.7	5 / 0	2022-05-16
2.1.6	5 / 0	2022-05-12
2.1.5	5 / 0	2022-05-12
2.1.4	5 / 0	2022-04-15
2.1.3	5 / 0	2022-04-13
2.1.0	5 / 0	2022-03-18
2.0.44	5 / 0	2021-11-10
2.0.38	5 / 0	2021-08-11
2.0.37	5 / 0	2021-07-21
2.0.36	5 / 0	2021-05-31
2.0.32	5 / 0	2021-04-28
2.0.29	5 / 0	2021-04-21
2.0.27	5 / 0	2020-12-02
2.0.26	5 / 0	2020-11-18
2.0.25	5 / 0	2020-11-03
2.0.23	5 / 0	2020-10-07
2.0.22	5 / 0	2020-09-07
2.0.21	5 / 0	2020-09-04
2.0.20	5 / 0	2020-09-01
2.0.17	5 / 0	2020-08-25
2.0.14	5 / 0	2020-08-10
2.0.13	5 / 0	2020-08-10
2.0.12	5 / 0	2020-07-30
2.0.11	5 / 0	2020-07-30
2.0.10	5 / 0	2020-07-15
2.0.9	5 / 0	2020-07-15
2.0.8	5 / 0	2020-07-15
2.0.7	5 / 0	2020-07-14
2.0.5	5 / 0	2020-06-01
2.0.4	5 / 0	2020-06-01
2.0.3	4 / 0	2020-05-08
2.0.2	4 / 0	2020-05-07
2.0.1	4 / 0	2020-05-06

v2.7.0

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH Publisher changed: microshine → GitHub Actions (on 2026-05-01) provenance

This version was published by a different npm account than previous versions on 2026-05-01. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.