@types/cheerio
Stub TypeScript definitions entry for cheerio, which provides its own types definitions
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| email-domain | unclaimed-email:https://github.com/blittle | AI (email-domain): False positive: 'https://github.com/blittle' is a GitHub URL in the author field, not an email domain. Standard DefinitelyTyped contributor format. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Stub migration packages in @types/* are published once when upstream bundles types; long dormancy before a single stub release is the expected lifecycle, not a takeover signal. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): Adding cheerio as a dependency is the entire purpose of this stub package — it redirects @types/cheerio consumers to cheerio's own bundled types. This is the standard DefinitelyTyped migration pattern. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Stub redirect packages in @types/* are intentionally minimal: no code, no README, no keywords. The deprecated field and single redirect dep are the complete, correct payload for this package type. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Source dropping to 0B is expected — the stub intentionally ships no type definitions, delegating entirely to the cheerio package's own bundled types. | ai | |
| phantom-deps | phantom-dep:cheerio | AI (phantom-deps): Stub packages don't import anything; the cheerio dep exists solely to trigger npm installation of the real types. Phantom-dep finding is a stable false positive for this package. | ai |
Versions (showing 40 of 40)
| Version | Deps | Published |
|---|---|---|
| 1.0.0 | 1 / 0 | |
| 0.22.35 | 1 / 0 | |
| 0.22.34 | 1 / 0 | |
| 0.22.33 | 1 / 0 | |
| 0.22.32 | 1 / 0 | |
| 0.22.31 | 1 / 0 | |
| 0.22.30 | 1 / 0 | |
| 0.22.29 | 1 / 0 | |
| 0.22.28 | 1 / 0 | |
| 0.22.27 | 1 / 0 | |
| 0.22.26 | 1 / 0 | |
| 0.22.25 | 1 / 0 | |
| 0.22.24 | 1 / 0 | |
| 0.22.23 | 1 / 0 | |
| 0.22.22 | 1 / 0 | |
| 0.22.21 | 1 / 0 | |
| 0.22.20 | 1 / 0 | |
| 0.22.19 | 1 / 0 | |
| 0.22.18 | 1 / 0 | |
| 0.22.17 | 1 / 0 | |
| 0.22.16 | 1 / 0 | |
| 0.22.15 | 1 / 0 | |
| 0.22.14 | 1 / 0 | |
| 0.22.13 | 1 / 0 | |
| 0.22.12 | 1 / 0 | |
| 0.22.11 | 1 / 0 | |
| 0.22.10 | 0 / 0 | |
| 0.22.9 | 0 / 0 | |
| 0.22.8 | 0 / 0 | |
| 0.22.7 | 0 / 0 | |
| 0.22.6 | 0 / 0 | |
| 0.22.5 | 0 / 0 | |
| 0.22.4 | 0 / 0 | |
| 0.22.3 | 0 / 0 | |
| 0.22.2 | 0 / 0 | |
| 0.22.1 | 0 / 0 | |
| 0.22.0 | 0 / 0 | |
| 0.17.31 | 0 / 0 | |
| 0.17.30 | 0 / 0 | |
| 0.17.29 | 0 / 0 |
v1.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.35
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.34
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.33
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.32
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.31
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.30
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.31
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.30
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.17.29
2 findingsMaintainer email 'https://github.com/blittle' uses domain 'https://github.com/blittle' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.