@types/glob
Stub TypeScript definitions entry for glob, which provides its own types definitions
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| email-domain | unclaimed-email:https://github.com/vvakame/ | AI (email-domain): The 'email' field is actually a GitHub profile URL used as an author identifier, not a real email address. No actual email domain is at risk. This is a stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@types/minimatch | AI (dependencies): @types/minimatch is a standard DefinitelyTyped type-only dependency; no runtime code, stable pattern for @types/glob. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): @types/node is a framework-scoped type package loaded by convention in DefinitelyTyped packages; not a real phantom dep concern. | ai | |
| phantom-deps | phantom-dep:@types/events | AI (phantom-deps): @types/events is a type-only dependency loaded by convention; phantom-dep finding is a false positive for DefinitelyTyped packages. | ai | |
| phantom-deps | phantom-dep:@types/minimatch | AI (phantom-deps): @types/minimatch is a type-only dependency loaded by convention; phantom-dep finding is a false positive for DefinitelyTyped packages. | ai | |
| dependencies | unvetted-dep:@types/events | AI (dependencies): @types/events is a standard DefinitelyTyped type-only dependency; no runtime code, stable pattern for @types/glob. | ai | |
| phantom-deps | phantom-dep:glob | AI (phantom-deps): The glob dependency is intentional in a stub types package — it ensures glob is installed when this stub is used. Not a phantom dep in the problematic sense. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Stub @types/* packages intentionally have no code, minimal README, and no repo URL. These signals are expected and stable for this package type. | ai | |
| typosquat | typosquat.levenshtein:got | AI (typosquat): @types/glob is a legitimate TypeScript stub for the 'glob' package, not a typosquat of 'got'. The @types/ scoped naming convention makes this a stable false positive. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 9.0.0 | 1 / 0 | |
| 8.1.0 | 2 / 0 | |
| 8.0.1 | 2 / 0 | |
| 8.0.0 | 2 / 0 | |
| 7.2.0 | 2 / 0 | |
| 7.1.4 | 2 / 0 | |
| 7.1.3 | 2 / 0 | |
| 7.1.2 | 2 / 0 | |
| 7.1.0 | 3 / 0 | |
| 5.0.38 | 2 / 0 | |
| 5.0.37 | 2 / 0 | |
| 5.0.36 | 3 / 0 | |
| 5.0.35 | 3 / 0 | |
| 5.0.34 | 3 / 0 | |
| 5.0.33 | 2 / 0 | |
| 5.0.32 | 2 / 0 | |
| 5.0.31 | 2 / 0 | |
| 5.0.30 | 2 / 0 | |
| 5.0.29 | 2 / 0 |
v7.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.38
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.37
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.36
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.35
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.34
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.33
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.32
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.31
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.30
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.29
2 findingsMaintainer email 'https://github.com/vvakame/' uses domain 'https://github.com/vvakame/' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.