@scarf/scarf Apache-2.0 19 versions

@scarf/scarf

npm Repository Homepage

Scarf is like Google Analytics for your npm packages. Gain insights into how your packages are installed and used, and by which companies.

19

Versions

Apache-2.0

License

Yes

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

hollyos-scarfaviaviavi

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
bogus-package	bogus-package	AI (bogus-package): Minimal metadata is a known characteristic of this intentionally small scoped package; 6+ year history and ecosystem adoption confirm legitimacy.	ai	2026/04/24
install-scripts	install-script:postinstall	AI (install-scripts): Postinstall running report.js is the core documented function of @scarf/scarf — install telemetry analytics. Stable across all 27 versions of this package.	ai	2026/04/23
semgrep	semgrep:child-process-import	AI (semgrep): child_process is used in report.js for system info gathering (OS/env details) as part of install telemetry — consistent with the package's documented analytics purpose.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require is used to load the host package's package.json for dependency reporting — core to the analytics functionality, not arbitrary module loading.	ai	2026/04/23

Versions (showing 19 of 19)

Version	Deps	Published
1.4.0	0 / 3	2024-11-06
1.1.1	0 / 3	2021-06-05
1.1.0	0 / 3	2020-07-23
1.0.6	0 / 3	2020-06-10
1.0.3	0 / 3	2020-04-23
1.0.2	0 / 3	2020-04-23
1.0.0	0 / 3	2020-04-17
0.2.0	0 / 3	2020-04-15
0.1.8	0 / 3	2021-02-17
0.1.5	0 / 2	2020-03-27
0.1.4	0 / 2	2020-03-26
0.1.3	0 / 2	2020-03-25
0.1.2	0 / 2	2020-03-18
0.1.1	0 / 2	2020-03-16
0.1.0	0 / 2	2020-03-13
0.0.6	0 / 0	2019-12-30
0.0.5	0 / 0	2019-12-23
0.0.3	0 / 0	2019-12-21
0.0.2	0 / 0	2019-12-13

v1.4.0

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node ./report.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.