@statsig/client-core — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

daniel-statsigwhdingsdk.devaraf-statsigandre-statsigkenny-statsigquan-statsigbrocklumbardstatsig-devinalisha-statsigjoe-statsigkat_gao_030

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	no-description	AI (npm-metadata): Internal monorepo sub-package; missing description is stable and benign.	ai	2026/05/29
bogus-package	bogus-package	AI (bogus-package): Monorepo sub-package with no deps/keywords/description; not spam indicators here.	ai	2026/05/29
provenance	publisher-changed	AI (provenance): Transition from human publisher to GitHub Actions CI/CD with SLSA provenance; legitimate.	ai	2026/05/29
maintainer-change	maintainer-added	AI (maintainer-change): Internal Statsig org maintainer rotation; new publisher has clean track record within the org.	ai	2026/04/27
maintainer-change	maintainer-removed	AI (maintainer-change): Bulk removal consistent with org-level maintainer consolidation, not a hostile takeover pattern.	ai	2026/04/27
publish-pattern	dormant-publish	AI (publish-pattern): Established Statsig monorepo package; dormancy likely reflects release cadence, not account compromise.	ai	2026/04/27

Versions (showing 55 of 55)

Version	Deps	Published
3.33.2	0 / 0	2026-05-26
3.33.1	0 / 0	2026-05-20
3.33.0	0 / 0	2026-04-23
3.32.6	0 / 0	2026-04-14
3.32.5	0 / 0	2026-04-09
3.32.4	0 / 0	2026-04-06
3.32.3	0 / 0	2026-03-27
3.32.2	0 / 0	2026-03-19
3.32.1	0 / 0	2026-03-16
3.32.0	0 / 0	2026-02-25
3.31.2	0 / 0	2026-01-15
3.31.1	0 / 0	2026-01-08
3.31.0	0 / 0	2025-12-15
3.30.2	0 / 0	2025-12-03
3.30.1	0 / 0	2025-12-01
3.30.0	0 / 0	2025-11-07
3.29.1	0 / 0	2025-10-28
3.29.0	0 / 0	2025-10-24
3.28.1	0 / 0	2025-10-22
3.28.0	0 / 0	2025-10-21
3.27.0	0 / 0	2025-10-15
3.26.0	0 / 0	2025-10-06
3.25.6	0 / 0	2025-10-02
3.25.5	0 / 0	2025-09-23
3.25.4	0 / 0	2025-09-22
3.25.3	0 / 0	2025-09-15
3.25.2	0 / 0	2025-09-10
3.25.1	0 / 0	2025-09-05
3.25.0	0 / 0	2025-09-04
3.24.4	0 / 0	2025-08-22
3.24.3	0 / 0	2025-08-22
3.24.2	0 / 0	2025-08-21
3.24.1	0 / 0	2025-08-20
3.24.0	0 / 0	2025-08-20
3.23.0	0 / 0	2025-08-20
3.22.0	0 / 0	2025-08-13
3.21.1	0 / 0	2025-08-06
3.21.0	0 / 0	2025-08-05
3.20.4	0 / 0	2025-08-05
3.20.3	0 / 0	2025-07-29
3.20.2	0 / 0	2025-07-25
3.20.1	0 / 0	2025-07-24
3.20.0	0 / 0	2025-07-22
3.19.0	0 / 0	2025-07-18
3.18.3	0 / 0	2025-07-17
3.18.2	0 / 0	2025-07-08
3.18.1	0 / 0	2025-06-23
3.18.0	0 / 0	2025-06-13
3.17.2	0 / 0	2025-05-28
3.17.1	0 / 0	2025-05-20
3.17.0	0 / 0	2025-05-15
3.16.2	0 / 0	2025-05-12
3.16.1	0 / 0	2025-05-07
3.16.0	0 / 0	2025-05-01
3.15.5	0 / 0	2025-04-28

v3.33.2

2 findings

HIGH Publisher changed: araf-statsig → GitHub Actions (on 2026-05-26) provenance

This version was published by a different npm account than previous versions on 2026-05-26. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.33.1

2 findings

HIGH Publisher changed: araf-statsig → sdk.dev (on 2026-05-20) provenance

This version was published by a different npm account than previous versions on 2026-05-20. This could indicate a legitimate maintainer transition or an account compromise.