archiver — Greenflagged

a streaming interface for archive generation

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

ctalkington

Keywords

archivearchiverstreamziptar

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Moved to GitHub Actions CI/CD publishing with SLSA provenance; legitimate transition.	ai	2026/05/08
publish-pattern	dormant-publish	AI (publish-pattern): Mature package with infrequent major releases; 799-day gap is normal for stable software.	ai	2026/05/08
provenance	no-provenance	AI (provenance): archiver is a 4943-day-old package predating Sigstore provenance on npm; absence of attestation is expected and not a risk signal for this package.	ai	2026/04/22
dependencies	unvetted-dep:zip-stream	AI (dependencies): zip-stream is a first-party sibling package from the archiverjs org, maintained by the same author (ctalkington). It is a core, expected dependency of archiver.	ai	2026/04/22
dependencies	unvetted-dep:archiver-utils	AI (dependencies): archiver-utils is a first-party sibling package from the archiverjs org, maintained by the same author (ctalkington). It is a core, expected dependency of archiver.	ai	2026/04/22

Versions (showing 80 of 80)

Version	Deps	Published
8.0.0	9 / 10	2026-05-08
7.0.1	7 / 9	2024-03-10
7.0.0	7 / 9	2024-02-28
6.0.2	7 / 9	2024-02-27
6.0.1	7 / 9	2023-09-04
6.0.0	7 / 9	2023-08-18
5.3.2	7 / 9	2023-08-17
5.3.1	7 / 9	2022-04-15
5.3.0	7 / 9	2021-03-07
5.2.0	7 / 9	2021-01-07
5.1.0	7 / 9	2020-11-20
5.0.2	7 / 9	2020-09-11
5.0.1	7 / 9	2020-09-11
5.0.0	7 / 9	2020-07-23
4.0.2	7 / 9	2020-07-11
4.0.1	7 / 9	2020-04-14
4.0.0	7 / 9	2020-04-14
3.1.1	7 / 9	2019-08-02
3.1.0	7 / 9	2019-08-02
3.0.3	7 / 9	2019-07-20
3.0.1	7 / 9	2019-07-19
3.0.0	7 / 9	2018-08-22
2.1.1	8 / 9	2018-01-10
2.1.0	8 / 9	2017-10-12
2.0.3	9 / 9	2017-08-26
2.0.2	9 / 9	2017-08-26
2.0.1	9 / 9	2017-08-26
2.0.0	9 / 9	2017-07-05
1.3.0	9 / 9	2016-12-13
1.2.0	8 / 9	2016-11-02
1.1.0	8 / 9	2016-08-29
1.0.1	8 / 9	2016-07-28
1.0.0	8 / 9	2016-04-06
0.21.0	8 / 9	2015-12-22
0.20.0	8 / 7	2015-11-30
0.19.0	8 / 7	2015-11-28
0.18.0	8 / 7	2015-11-28
0.17.0	8 / 7	2015-11-24
0.16.0	8 / 7	2015-10-17
0.15.1	8 / 7	2015-09-10
0.15.0	8 / 7	2015-08-22
0.14.4	8 / 7	2015-05-20
0.14.3	8 / 7	2015-02-15
0.14.2	8 / 7	2015-01-23
0.14.1	8 / 7	2015-01-23
0.14.0	8 / 7	2015-01-23
0.13.1	8 / 7	2015-01-03
0.13.0	8 / 5	2014-11-28
0.12.0	8 / 5	2014-10-24
0.11.0	8 / 5	2014-08-24
0.10.1	7 / 5	2014-06-17
0.10.0	7 / 5	2014-05-29
0.9.1	7 / 5	2014-05-04
0.9.0	7 / 5	2014-04-19
0.8.1	6 / 5	2014-04-01
0.8.0	6 / 5	2014-04-01
0.7.1	5 / 5	2014-03-27
0.7.0	5 / 5	2014-03-23
0.6.1	5 / 5	2014-02-16
0.6.0	5 / 5	2014-02-15
0.5.2	5 / 5	2014-01-25
0.5.1	5 / 5	2014-01-15
0.5.0	5 / 5	2014-01-11
0.4.10	2 / 5	2013-09-29
0.4.9	2 / 5	2013-09-03
0.4.8	2 / 5	2013-08-18
0.4.7	1 / 6	2013-08-18
0.4.6	1 / 5	2013-07-07
0.4.5	1 / 5	2013-06-25
0.4.4	1 / 5	2013-06-08
0.4.3	1 / 4	2013-04-18
0.4.2	1 / 4	2013-04-09
0.4.1	1 / 4	2013-03-13
0.4.0	1 / 4	2013-02-17
0.3.0	3 / 1	2013-01-27
0.2.2	3 / 1	2013-01-07
0.2.1	3 / 1	2013-01-04
0.2.0	3 / 1	2013-01-02
0.1.1	0 / 1	2012-11-15
0.1.0	0 / 1	2012-10-09

v8.0.0

2 findings

HIGH Publisher changed: ctalkington → GitHub Actions (on 2026-05-08) provenance

This version was published by a different npm account than previous versions on 2026-05-08. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.