All @pnpm/fetching.binary-fetcher versions
@pnpm/fetching.binary-fetcher @1005.0.5
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
25
Risk Score
—
License
No
Install Scripts
8
Dependencies
5
Dev Dependencies
5.4 KB
Package Size
Published
Maintainers
pnpmuserzkochan
Keywords
pnpmpnpm10
Dependencies (8)
| Package | Constraint | Registry Status |
|---|---|---|
| ssri | 10.0.5 | auto_approved |
| tempy | ^1.0.1 | auto_approved |
| adm-zip | ^0.5.17 | auto_approved |
| is-subdir | ^1.2.0 | auto_approved |
| @pnpm/error | 1000.1.0 | auto_approved |
| rename-overwrite | ^6.0.6 | auto_approved |
| @pnpm/fetcher-base | 1001.2.3 | auto_approved |
| @pnpm/fetching-types | 1000.2.1 | auto_approved |
Dev Dependencies (5)
| Package | Constraint | Registry Status |
|---|---|---|
| tempy | ^1.0.1 | auto_approved |
| @types/ssri | ^7.1.5 | auto_approved |
| @jest/globals | 29.7.0 | auto_approved |
| @types/adm-zip | ^0.5.8 | auto_approved |
| @pnpm/fetching.binary-fetcher | 1005.0.5 | No greenflagged match |
Transitive Dependency Tree
69 transitive deps
max depth 9
├─
@pnpm/error
1000.1.0
→ 1000.1.0
├─
@pnpm/fetcher-base
1001.2.3
→ 1001.2.3
├─
@pnpm/fetching-types
1000.2.1
→ 1000.2.1
├─
adm-zip
^0.5.17
→ 0.5.17
├─
is-subdir
^1.2.0
→ 1.2.0
├─
rename-overwrite
^6.0.6
→ 6.0.6
├─
ssri
10.0.5
→ 10.0.5
├─
tempy
^1.0.1
→ 1.0.1
├─
@pnpm/constants
1001.3.1
→ 1001.3.1
├─
@pnpm/resolver-base
1005.4.2
→ 1005.4.2
├─
@pnpm/types
1001.3.0
→ 1001.3.0
├─
@types/ssri
^7.1.5
→ 7.1.5
├─
@zkochan/retry
^0.2.0
→ 0.2.0
├─
@zkochan/rimraf
^3.0.2
├─
better-path-resolve
1.0.0
→ 1.0.0
├─
del
^6.0.0
→ 6.1.1
├─
fs-extra
11.3.0
→ 11.3.0
├─
is-stream
^2.0.0
→ 2.0.1
├─
minipass
^7.0.3
→ 7.1.3
├─
temp-dir
^2.0.0
→ 2.0.0
├─
type-fest
^0.16.0
→ 0.16.0
├─
unique-string
^2.0.0
→ 2.0.0
├─
@pnpm/types
1001.3.0
→ 1001.3.0
├─
@types/node
*
→ 25.9.1
├─
crypto-random-string
^2.0.0
→ 2.0.0
├─
globby
^11.0.1
→ 11.1.0
├─
graceful-fs
^4.2.4
→ 4.2.11
├─
graceful-fs
^4.2.0
→ 4.2.11
├─
is-glob
^4.0.1
→ 4.0.3
├─
is-path-cwd
^2.2.0
├─
is-path-inside
^3.0.2
→ 3.0.3
├─
is-windows
^1.0.0
→ 1.0.2
├─
jsonfile
^6.0.1
→ 6.2.1
├─
p-map
^4.0.0
├─
rimraf
^3.0.2
→ 3.0.2
├─
slash
^3.0.0
→ 3.0.0
├─
universalify
^2.0.0
→ 2.0.1
├─
array-union
^2.1.0
├─
dir-glob
^3.0.1
→ 3.0.1
├─
fast-glob
^3.2.9
→ 3.3.3
├─
glob
^7.1.3
→ 7.1.7
├─
ignore
^5.2.0
→ 5.3.2
├─
is-extglob
^2.1.1
→ 2.1.1
├─
merge2
^1.4.1
→ 1.4.1
├─
slash
^3.0.0
→ 3.0.0
├─
undici-types
>=7.24.0 <7.24.7
→ 7.24.6
├─
universalify
^2.0.0
→ 2.0.1
├─
@nodelib/fs.stat
^2.0.2
→ 2.0.5
├─
@nodelib/fs.walk
^1.2.3
→ 1.2.8
├─
fs.realpath
^1.0.0
├─
glob-parent
^5.1.2
→ 5.1.2
├─
inflight
^1.0.4
├─
inherits
2
→ 2.0.4
├─
merge2
^1.3.0
→ 1.4.1
├─
micromatch
^4.0.8
→ 4.0.8
├─
minimatch
^3.0.4
→ 3.1.5
├─
once
^1.3.0
→ 1.4.0
├─
path-is-absolute
^1.0.0
→ 1.0.1
├─
path-type
^4.0.0
→ 4.0.0
├─
@nodelib/fs.scandir
2.1.5
→ 2.1.5
├─
brace-expansion
^1.1.7
→ 1.1.15
├─
braces
^3.0.3
→ 3.0.3
├─
fastq
^1.6.0
→ 1.20.1
├─
is-glob
^4.0.1
→ 4.0.3
├─
picomatch
^2.3.1
→ 2.3.2
├─
wrappy
1
→ 1.0.2
├─
@nodelib/fs.stat
2.0.5
→ 2.0.5
├─
balanced-match
^1.0.0
→ 1.0.2
├─
concat-map
0.0.1
→ 0.0.1
├─
fill-range
^7.1.1
→ 7.1.1
├─
is-extglob
^2.1.1
→ 2.1.1
├─
reusify
^1.0.4
→ 1.1.0
├─
run-parallel
^1.1.9
→ 1.2.0
├─
queue-microtask
^1.2.2
→ 1.2.3
├─
to-regex-range
^5.0.1
→ 5.0.1
├─
is-number
^7.0.0
→ 7.0.0
Changes from v1101.0.2
Dependency Changes
| Change | Package | Version |
|---|---|---|
| added | @pnpm/fetcher-base | 1001.2.3 |
| added | @pnpm/fetching-types | 1000.2.1 |
| removed | @pnpm/store.index | 1100.0.0 |
| removed | @pnpm/fetching.types | 1100.0.1 |
| removed | @pnpm/fetching.fetcher-base | 1100.1.1 |
| changed | ssri | 13.0.1 → 10.0.5 |
| changed | tempy | 3.0.0 → ^1.0.1 |
| changed | adm-zip | ^0.5.16 → ^0.5.17 |
| changed | is-subdir | ^2.0.0 → ^1.2.0 |
| changed | @pnpm/error | 1100.0.0 → 1000.1.0 |
| changed | rename-overwrite | ^7.0.1 → ^6.0.6 |
Script Changes
+ _test - .testFile Changes
1 added
0 removed
3 modified
size delta: +.8 KB
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
regressed-provenance |
provenance | reject | AI | AI (provenance): pnpm packages consistently publish with provenance; regression is a strong compromise signal that generalizes. |
SAST Findings (1)
HIGH
Provenance attestation missing — previous versions had it
provenance
This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.
Review Summary
Risk score: 25. Findings: 1 high (+25), 1 info (+0).
Published to npm: