add
A cross-browser, numerically stable algorithm to add floats accurately
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): 'add' is a legitimate, 12-year-old package by Raynos. Levenshtein proximity to 'ajv' is coincidental for a 3-letter generic English word. | ai | |
| typosquat | typosquat.levenshtein:zod | AI (typosquat): 'add' is a legitimate, 12-year-old package by Raynos. Levenshtein proximity to 'zod' is coincidental for a 3-letter generic English word. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from npmbot to benng in 2014 is a legitimate author reclaim. Package author, repo URL, and publisher all match. No compromise indicators. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): benng is the legitimate author per package.json; addition reflects reclaiming package from npmbot placeholder. | ai | |
| source-diff | source-size-tripled | AI (source-diff): v2 implements a numerically stable summation algorithm, legitimately larger than a trivial v1. No obfuscation or suspicious patterns flagged. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): npmbot removal is expected and benign; it was a placeholder, not a real maintainer. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): npmbot→benng transition in 2014 is a well-known early npm pattern where real authors reclaimed packages from the npm placeholder bot. Author identity in package.json matches publisher perfectly. | ai | |
| provenance | no-provenance | AI (provenance): Established package by known publisher with long track record; lack of Sigstore attestation is not a security risk for this package. | ai |
Versions (showing 7 of 7)
| Version | Deps | Published |
|---|---|---|
| 2.0.6 | 0 / 1 | |
| 2.0.5 | 0 / 1 | |
| 2.0.4 | 0 / 1 | |
| 2.0.2 | 0 / 1 | |
| 2.0.1 | 0 / 1 | |
| 2.0.0 | 0 / 0 | |
| 1.0.0 | 0 / 1 |
v2.0.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: benng.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.5
3 findingsAll previous maintainers (npmbot) were replaced by new maintainers (benng, joeybaker). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2014-06-27. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.4
3 findingsAll previous maintainers (npmbot) were replaced by new maintainers (benng). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2014-06-27. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
3 findingsAll previous maintainers (npmbot) were replaced by new maintainers (benng). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2014-06-27. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
3 findingsAll previous maintainers (npmbot) were replaced by new maintainers (benng). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2014-06-27. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
3 findingsAll previous maintainers (npmbot) were replaced by new maintainers (raynos, benng). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2014-06-27. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.