@types/express-jwt — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

types

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	dormant-publish	AI (publish-pattern): Stub @types redirect packages are only published when the upstream package ships its own types; long dormancy is expected and not a takeover signal for this publisher.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): Adding express-jwt as the sole dependency is the correct stub redirect pattern; it replaces the old @types/* deps and is not a supply-chain risk.	ai	2026/04/24
bogus-package	bogus-package	AI (bogus-package): All bogus-package signals are expected for a DefinitelyTyped stub: no code, no README instructions, no keywords. The package's entire purpose is a deprecation notice.	ai	2026/04/24
phantom-deps	phantom-dep:express-jwt	AI (phantom-deps): Stub packages declare a dep without importing it by design; phantom-dep is a structural false positive for this package type.	ai	2026/04/24
phantom-deps	phantom-dep:@types/express-unless	AI (phantom-deps): @types/express-unless is a type-only peer dependency loaded by TypeScript convention. Standard pattern for DefinitelyTyped packages.	ai	2026/04/24
provenance	no-provenance	AI (provenance): DefinitelyTyped @types/* packages are published via automated tooling without Sigstore provenance; this is expected and stable for this package.	ai	2026/04/24
phantom-deps	phantom-dep:@types/express	AI (phantom-deps): @types/express is a type-only peer dependency loaded by TypeScript convention, not via direct import. This is standard for DefinitelyTyped packages.	ai	2026/04/24