@yao-pkg/pkg-fetch — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

roberts_lando

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions CI publishing with SLSA provenance; legitimate automation pattern for this package.	ai	2026/05/28
semgrep	semgrep:env-spread	AI (semgrep): Build tool passes env to subprocess for Node.js compilation; standard pattern, not exfiltration.	ai	2026/05/06
semgrep	semgrep:child-process-import	AI (semgrep): pkg-fetch is a build tool that compiles Node.js binaries; child_process use is inherent to its function.	ai	2026/05/06

Versions (showing 16 of 16)

Version	Deps	Published
3.6.3	7 / 20	2026-05-27
3.6.2	7 / 20	2026-05-26
3.6.1	7 / 20	2026-05-26
3.5.34	7 / 20	2026-05-27
3.5.33	7 / 20	2026-03-31
3.5.32	7 / 20	2026-01-15
3.5.31	7 / 20	2025-12-11
3.5.30	7 / 20	2025-10-29
3.5.29	7 / 20	2025-10-15
3.5.28	7 / 20	2025-10-06
3.5.27	7 / 20	2025-10-06
3.5.26	7 / 20	2025-10-03
3.5.25	7 / 20	2025-09-26
3.5.24	7 / 20	2025-07-19
3.5.23	7 / 20	2025-05-17
3.5.22	7 / 20	2025-05-15

v3.6.3

2 findings

HIGH Publisher changed: roberts_lando → GitHub Actions (on 2026-05-27) provenance

This version was published by a different npm account than previous versions on 2026-05-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.6.2

2 findings

HIGH Publisher changed: roberts_lando → GitHub Actions (on 2026-05-26) provenance

This version was published by a different npm account than previous versions on 2026-05-26. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.6.1

2 findings

HIGH Publisher changed: roberts_lando → GitHub Actions (on 2026-05-26) provenance

This version was published by a different npm account than previous versions on 2026-05-26. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.5.34

2 findings

HIGH Publisher changed: roberts_lando → GitHub Actions (on 2026-05-27) provenance

This version was published by a different npm account than previous versions on 2026-05-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.5.33

2 findings

HIGH env-spread: lib-es5/build.js:176 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/yao-pkg/pkg-fetch/blob/873add6e109eea7092bbe7a0dfe9b9b4bf342abb/lib-es5/build.js#L176 174 | await (0, utils_1.spawn)('cmd', args, { 175 | cwd: nodePath, > 176 | env: { ...process.env, config_flags: config_flags.join(' ') }, 177 | stdio: 'inherit', 178 | });