bullmq — Greenflagged

Queue for messages and jobs based on Redis

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

manast

Keywords

bullbullmqqueuesjobsredis

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Publisher moved to GitHub Actions CI/CD with SLSA provenance; expected for automated semantic-release workflow.	ai	2026/05/24
source-diff	large-new-source-files	AI (source-diff): Active package with frequent feature additions; 21 new source files consistent with normal development cadence and SLSA provenance confirms CI build integrity.	ai	2026/05/23
provenance	no-provenance	AI (provenance): Established package with strong ecosystem trust; provenance absence is common and not indicative of risk.	ai	2026/05/18
publish-pattern	dormant-publish	AI (publish-pattern): bullmq is a major, actively maintained package (714 versions, 4.5M weekly downloads). Dormancy signal is a false positive given SLSA provenance attestation confirming CI/CD publication and no other risk signals.	ai	2026/04/26
dependencies	unvetted-dep:node-abort-controller	AI (dependencies): node-abort-controller is a legitimate AbortController polyfill; its use in bullmq is appropriate for Node.js >=12 compatibility and is a stable, expected dependency.	ai	2026/04/25

Versions (showing 10 of 110)

Version	Deps	Published
5.53.2	7 / 56	2025-06-02
5.53.1	7 / 56	2025-05-30
5.53.0	7 / 56	2025-05-21
5.52.3	7 / 56	2025-05-19
5.52.2	7 / 56	2025-05-08
5.52.1	7 / 56	2025-05-02
5.52.0	7 / 56	2025-05-01
5.51.1	7 / 56	2025-04-26
5.51.0	7 / 56	2025-04-25
5.50.0	7 / 56	2025-04-25

v5.53.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.53.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.53.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.52.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.52.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.52.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.52.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.51.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v5.51.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v5.50.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.