bem-naming — Greenflagged

Manage naming of BEM entities

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

blond

Keywords

bemnamingentitiesparsestringify

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	missing-githead	AI (provenance): Established package with clean history; missing gitHead is a publish-environment artifact, not a security signal for this package.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance; lack of attestation is expected for this legacy package and not a security concern.	ai	2026/04/24
maintainer-change	maintainer-takeover	AI (maintainer-change): andrewblond and blond are the same person (Andrew Abramov, [email protected]) — a legitimate account rename. Package is part of official bem GitHub org. No malicious signals.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): Publisher change from andrewblond to blond reflects same author (Andrew Abramov) changing npm account. Consistent with package.json author/contributor fields.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): New maintainer 'blond' is the same person as 'andrewblond' (Andrew Abramov). Legitimate account transition.	ai	2026/04/24
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of andrewblond is part of same-person account rename to blond. Not a hostile takeover.	ai	2026/04/24

Versions (showing 12 of 12)

Version	Deps	Published
1.0.1	0 / 7	2016-03-31
1.0.0	0 / 7	2016-03-28
0.5.1	0 / 8	2015-01-12
0.5.0	0 / 7	2014-12-19
0.4.0	0 / 7	2014-11-08
0.3.0	0 / 7	2014-08-21
0.2.1	0 / 7	2014-08-12
0.2.0	0 / 7	2014-08-10
0.1.0	0 / 5	2014-07-05
0.0.3	0 / 2	2014-05-15
0.0.2	0 / 2	2014-05-14
0.0.1	0 / 2	2014-05-12

v1.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.1

3 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (andrewblond) were replaced by new maintainers (blond). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: andrewblond → blond (on 2015-01-12) provenance

This version was published by a different npm account than previous versions on 2015-01-12. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.0

3 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (andrewblond) were replaced by new maintainers (blond). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: andrewblond → blond (on 2014-12-19) provenance

This version was published by a different npm account than previous versions on 2014-12-19. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.0

3 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (andrewblond) were replaced by new maintainers (blond). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: andrewblond → blond (on 2014-11-08) provenance

This version was published by a different npm account than previous versions on 2014-11-08. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.1

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: andrewblond.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.