cacache
Fast, fault-tolerant, cross-platform, disk-based, data-agnostic, content-addressable cache.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@npmcorp/move | AI (dependencies): @npmcorp/move is an npm-internal atomic file move utility; its use in a caching library is expected and legitimate. | ai | |
| dependencies | unvetted-dep:checksum-stream | AI (dependencies): checksum-stream is a stream integrity utility directly relevant to a content-addressable cache; no malicious signals. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): cacache was publicly transferred from zkat to the npm/GitHub org; new maintainers are recognized npm CLI team members. Repo URL confirms official ownership. Not a hijack. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher changed to GitHub Actions as part of the npm org takeover of cacache; consistent with SLSA provenance attestation and official npm CLI team ownership. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are npm CLI team members following documented transfer of cacache to the npm organization. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): zkat's removal is consistent with the known transfer of cacache to the npm org; not indicative of a hostile takeover. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps (minipass, ssri, lru-cache, etc.) are all npm-org-maintained packages; diff is against v5.0.0 so reflects years of legitimate evolution, not a sudden injection. | ai | |
| dependencies | unvetted-dep:fs-minipass | AI (dependencies): fs-minipass is an official npm CLI ecosystem package maintained by GitHub/npm org; a standard cacache dependency. | ai | |
| dependencies | unvetted-dep:@npmcli/fs | AI (dependencies): @npmcli/fs is an official npm CLI ecosystem package maintained by GitHub/npm org; a standard cacache dependency. | ai | |
| dependencies | unvetted-dep:minipass-flush | AI (dependencies): minipass-flush is an official npm CLI ecosystem package maintained by GitHub/npm org; a standard cacache dependency. | ai | |
| dependencies | unvetted-dep:minipass-collect | AI (dependencies): minipass-collect is an official npm CLI ecosystem package maintained by GitHub/npm org; a standard cacache dependency. | ai | |
| dependencies | unvetted-dep:minipass-pipeline | AI (dependencies): minipass-pipeline is an official npm CLI ecosystem package maintained by GitHub/npm org; a standard cacache dependency. | ai | |
| dependencies | unvetted-dep:ssri | AI (dependencies): ssri is an official npm CLI ecosystem package maintained by GitHub/npm org; a standard cacache dependency across many versions. | ai |
Versions (showing 51 of 97)
| Version | Deps | Published |
|---|---|---|
| 21.0.0 | 10 / 3 | |
| 20.0.4 | 10 / 3 | |
| 20.0.3 | 11 / 3 | |
| 20.0.2 | 11 / 3 | |
| 20.0.1 | 11 / 3 | |
| 20.0.0 | 12 / 3 | |
| 19.0.1 | 12 / 3 | |
| 19.0.0 | 12 / 3 | |
| 18.0.4 | 12 / 3 | |
| 18.0.3 | 12 / 3 | |
| 18.0.2 | 12 / 3 | |
| 18.0.1 | 12 / 3 | |
| 18.0.0 | 12 / 3 | |
| 17.1.4 | 12 / 3 | |
| 17.1.3 | 12 / 3 | |
| 17.1.2 | 12 / 3 | |
| 17.1.1 | 12 / 3 | |
| 17.1.0 | 12 / 3 | |
| 17.0.7 | 12 / 3 | |
| 17.0.6 | 13 / 3 | |
| 17.0.4 | 13 / 3 | |
| 17.0.3 | 13 / 3 | |
| 17.0.2 | 13 / 3 | |
| 17.0.1 | 14 / 3 | |
| 17.0.0 | 14 / 3 | |
| 16.1.3 | 18 / 3 | |
| 16.1.2 | 18 / 3 | |
| 16.1.1 | 18 / 3 | |
| 16.1.0 | 18 / 3 | |
| 16.0.7 | 18 / 3 | |
| 16.0.6 | 18 / 7 | |
| 16.0.5 | 18 / 7 | |
| 16.0.4 | 18 / 7 | |
| 16.0.3 | 18 / 7 | |
| 16.0.2 | 18 / 6 | |
| 16.0.1 | 18 / 6 | |
| 16.0.0 | 18 / 6 | |
| 15.3.0 | 18 / 6 | |
| 15.2.0 | 17 / 6 | |
| 15.1.0 | 17 / 7 | |
| 15.0.6 | 17 / 7 | |
| 15.0.5 | 17 / 7 | |
| 15.0.4 | 17 / 7 | |
| 15.0.3 | 17 / 7 | |
| 15.0.2 | 18 / 7 | |
| 15.0.0 | 17 / 7 | |
| 14.0.0 | 19 / 10 | |
| 13.0.1 | 18 / 10 | |
| 13.0.0 | 18 / 10 | |
| 12.0.4 | 15 / 8 | |
| 12.0.3 | 15 / 10 |
v21.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v20.0.3
3 findingsAll previous maintainers (zkat) were replaced by new maintainers (gar, saquibkhan, npm-cli-ops, reggi, hashtagchris, owlstronaut). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-11-21. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v20.0.2
3 findingsAll previous maintainers (zkat) were replaced by new maintainers (gar, saquibkhan, npm-cli-ops, reggi, hashtagchris, owlstronaut). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-11-17. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v20.0.1
3 findingsAll previous maintainers (zkat) were replaced by new maintainers (gar, saquibkhan, npm-cli-ops, reggi, hashtagchris, owlstronaut). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-08-18. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v20.0.0
3 findingsAll previous maintainers (zkat) were replaced by new maintainers (gar, saquibkhan, npm-cli-ops, reggi, hashtagchris, owlstronaut). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-07-24. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v19.0.1
3 findingsAll previous maintainers (zkat) were replaced by new maintainers (hashtagchris, reggi, npm-cli-ops, saquibkhan, fritzy, gar). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2024-09-27. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v19.0.0
3 findingsAll previous maintainers (zkat) were replaced by new maintainers (hashtagchris, reggi, npm-cli-ops, saquibkhan, fritzy, gar). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2024-09-26. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.0.4
3 findingsAll previous maintainers (zkat) were replaced by new maintainers (reggi, npm-cli-ops, saquibkhan, fritzy, gar). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2024-07-11. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.0.3
3 findingsAll previous maintainers (zkat) were replaced by new maintainers (npm-cli-ops, saquibkhan, fritzy, gar, lukekarrys). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2024-05-04. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v17.1.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v17.1.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v17.1.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v17.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v17.1.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-05-02. This could indicate a legitimate maintainer transition or an account compromise.
v17.0.7
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-05-01. This could indicate a legitimate maintainer transition or an account compromise.
v17.0.6
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-04-27. This could indicate a legitimate maintainer transition or an account compromise.
v17.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.0.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-04. This could indicate a legitimate maintainer transition or an account compromise.
v17.0.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-10-17. This could indicate a legitimate maintainer transition or an account compromise.
v17.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.1.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-23. This could indicate a legitimate maintainer transition or an account compromise.
v16.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.0.6
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-21. This could indicate a legitimate maintainer transition or an account compromise.
v16.0.5
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-20. This could indicate a legitimate maintainer transition or an account compromise.
v16.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.0.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-22. This could indicate a legitimate maintainer transition or an account compromise.
v16.0.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-17. This could indicate a legitimate maintainer transition or an account compromise.
v16.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.3.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-08-26. This could indicate a legitimate maintainer transition or an account compromise.
v15.2.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-05-25. This could indicate a legitimate maintainer transition or an account compromise.
v15.1.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-05-19. This could indicate a legitimate maintainer transition or an account compromise.
v15.0.6
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-03-22. This could indicate a legitimate maintainer transition or an account compromise.
v15.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-02-18. This could indicate a legitimate maintainer transition or an account compromise.
v14.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-01-28. This could indicate a legitimate maintainer transition or an account compromise.
v13.0.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-09-30. This could indicate a legitimate maintainer transition or an account compromise.
v13.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-09-25. This could indicate a legitimate maintainer transition or an account compromise.
v12.0.4
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-03-24. This could indicate a legitimate maintainer transition or an account compromise.
v12.0.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-08-19. This could indicate a legitimate maintainer transition or an account compromise.