assign-deep
Deeply assign the values of all enumerable-own-properties and symbols from one or more source objects to a target object. Returns the target object.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): doowb (Brian Woodward) is an explicitly listed contributor in package.json alongside original author jonschlinkert; this is a legitimate known-collaborator transition, not a hostile takeover. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): is-primitive and kind-of are canonical jonschlinkert/doowb ecosystem utilities, widely trusted and consistent with this package's deep-assign functionality. | ai |
v1.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.8
2 findingsThis version was published by a different npm account than previous versions on 2019-06-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.