cache-content-type
Create a full Content-Type header given a MIME type or extension and cache the result
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): fengmk2 is a well-established maintainer in the node-modules org; transition from dead_horse is a legitimate handoff consistent with the org's shared ownership model. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): fengmk2 has 633 approved packages and 4990 days of history; addition is a legitimate maintainer transition, not a takeover. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is due to TypeScript migration with tshy dual ESM/CJS build output — expected for a v2 major version bump from a trivial JS file. | ai |
v2.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.0
2 findingsThis version was published by a different npm account than previous versions on 2024-06-08. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.