@types/gulp-util
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| email-domain | unclaimed-email:https://github.com/jedmao | AI (email-domain): The 'email' field contains a GitHub profile URL, not an actual email address. The analyzer is misinterpreting a URL as an email domain. No real hijacking risk exists. | ai | |
| phantom-deps | phantom-dep:@types/chalk | AI (phantom-deps): @types packages are loaded by TypeScript compiler convention, not direct imports. Phantom dep findings are expected false positives for all @types packages. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): Type-only packages declare @types/* deps for TypeScript resolution, not direct imports. This is standard DefinitelyTyped practice. | ai | |
| phantom-deps | phantom-dep:@types/vinyl | AI (phantom-deps): Type-only packages declare @types/* deps for TypeScript resolution, not direct imports. This is standard DefinitelyTyped practice. | ai | |
| phantom-deps | phantom-dep:@types/through2 | AI (phantom-deps): Type-only packages declare @types/* deps for TypeScript resolution, not direct imports. This is standard DefinitelyTyped practice. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 3.0.41 | 4 / 0 | |
| 3.0.40 | 4 / 0 | |
| 3.0.39 | 4 / 0 | |
| 3.0.38 | 4 / 0 | |
| 3.0.37 | 4 / 0 | |
| 3.0.36 | 4 / 0 | |
| 3.0.35 | 4 / 0 | |
| 3.0.34 | 4 / 0 | |
| 3.0.33 | 4 / 0 | |
| 3.0.32 | 4 / 0 | |
| 3.0.31 | 4 / 0 | |
| 3.0.30 | 4 / 0 | |
| 3.0.29 | 4 / 0 | |
| 3.0.28 | 4 / 0 |
v3.0.41
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.40
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.39
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.38
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.37
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.36
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.35
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.34
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.33
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.32
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.31
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.30
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.28
2 findingsMaintainer email 'https://github.com/jedmao' uses domain 'https://github.com/jedmao' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.