@pnpm/exe
Fast, disk space efficient package manager
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/pnpm.mjs | AI (source-diff): Long base64 string is llhttp WASM payload embedded in undici; standard pattern in pnpm's bundled dist. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are legitimate pnpm functionality (reflink support, libc detection); SLSA provenance confirms CI-published artifact. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): fastlist EXEs are documented pnpm tooling for Windows process listing; stable artifact for this package. | ai | |
| source-diff | source-size-tripled | AI (source-diff): pnpm/exe bundles the full pnpm CLI; large size is expected and consistent with the package's purpose. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Major version bump bundles additional tooling; expected for this artifact package. | ai | |
| install-scripts | install-script:preinstall | AI (install-scripts): Documented platform-binary selector for pnpm's official exe package; stable across all versions. | ai | |
| typosquat | typosquat.levenshtein:next | AI (typosquat): Scoped @pnpm/ package; not a typosquat of 'next'. Levenshtein match is spurious. | ai |
Versions (showing 45 of 45)
| Version | Deps | Published |
|---|---|---|
| 11.1.3 | 2 / 5 | |
| 11.1.2 | 2 / 5 | |
| 11.0.9 | 2 / 5 | |
| 11.0.8 | 2 / 5 | |
| 11.0.6 | 2 / 4 | |
| 10.33.4 | 0 / 3 | |
| 10.33.3 | 0 / 3 | |
| 10.33.2 | 0 / 3 | |
| 10.33.1 | 0 / 3 | |
| 10.33.0 | 0 / 3 | |
| 10.32.1 | 0 / 3 | |
| 10.32.0 | 0 / 3 | |
| 10.30.3 | 0 / 3 | |
| 10.30.2 | 0 / 3 | |
| 10.30.1 | 0 / 3 | |
| 10.30.0 | 0 / 3 | |
| 10.29.3 | 0 / 3 | |
| 10.29.2 | 0 / 3 | |
| 10.29.1 | 0 / 3 | |
| 10.29.0 | 0 / 3 | |
| 10.28.2 | 0 / 3 | |
| 10.28.1 | 0 / 3 | |
| 10.28.0 | 0 / 3 | |
| 10.27.0 | 0 / 3 | |
| 10.26.2 | 0 / 3 | |
| 10.26.1 | 0 / 3 | |
| 10.26.0 | 0 / 3 | |
| 10.25.0 | 0 / 3 | |
| 10.24.0 | 0 / 3 | |
| 10.23.0 | 0 / 3 | |
| 10.21.0 | 0 / 3 | |
| 10.20.0 | 0 / 3 | |
| 10.19.0 | 0 / 3 | |
| 10.18.3 | 0 / 3 | |
| 10.18.2 | 0 / 3 | |
| 10.18.1 | 0 / 3 | |
| 10.17.0 | 0 / 3 | |
| 10.16.1 | 0 / 3 | |
| 10.16.0 | 0 / 3 | |
| 10.15.1 | 0 / 3 | |
| 10.14.0 | 0 / 3 | |
| 10.12.4 | 0 / 3 | |
| 10.12.1 | 0 / 3 | |
| 10.11.1 | 0 / 3 | |
| 10.11.0 | 0 / 3 |
v11.1.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.1.2
2 findingsModified file contains 7 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.0.9
2 findingsPackage contains compiled binaries that could be backdoors: • dist/vendor/fastlist-0.3.0-x64.exe • dist/vendor/fastlist-0.3.0-x86.exe
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.0.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.0.6
3 findingsPackage contains compiled binaries that could be backdoors: • dist/vendor/fastlist-0.3.0-x64.exe • dist/vendor/fastlist-0.3.0-x86.exe
This version was published by a different npm account than previous versions on 2026-05-05. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.33.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.33.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.33.2
2 findingsScript: node setup.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.33.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.33.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.32.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.32.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.30.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.30.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.30.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.30.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.29.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.29.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.29.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.29.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.28.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.28.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.28.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.27.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.26.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.26.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.26.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.25.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.24.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.23.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.21.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.20.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.19.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.18.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.18.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.18.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.17.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.16.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.16.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.15.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.14.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.12.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.12.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.11.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.11.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.