← Home

changelog

npm Repository Homepage

Command line tool (and Node module) that generates a changelog in color output, markdown, or json for modules in npmjs.org's registry as well as any public github.com repo.

13
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

dylangrarkins

Keywords

changelogchange logcommit messagescommitschangeshistorywhat's newchange set

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance no-provenance AI (provenance): Package is 5379 days old; provenance attestation was not available at publish time. Trusted publisher with clean track record. ai
phantom-deps phantom-dep:chai AI (phantom-deps): chai is listed in both dependencies and devDependencies; it's a test library accidentally included in runtime deps, not a security concern for this package. ai
publish-pattern new-deps-added AI (publish-pattern): github-url-from-git is a well-known, legitimate utility appropriate for a changelog tool that works with GitHub repos. No malicious indicators. ai
provenance publisher-changed AI (provenance): The dylang→rarkins transition occurred in 2017 and is a well-known legitimate maintainer handoff. rarkins (Rhys Arkins) is a reputable, long-standing npm publisher with 30 approved packages. ai
maintainer-change maintainer-added AI (maintainer-change): rarkins is a well-established publisher (first seen 3238 days ago, 30 approved packages). The maintainer addition dates to 2017 and represents a legitimate transfer. ai
email-domain unclaimed-email:keylocation.sg AI (email-domain): Established package with strong publisher track record; unclaimed domain is a hygiene concern but no active exploit or malicious indicators present. ai
dependencies unvetted-dep:request AI (dependencies): request is a well-known HTTP client library; its presence as a dependency in this established package is expected and not a security concern. ai

Versions (showing 13 of 13)

Version Deps Published
1.4.1 10 / 13
1.4.0 10 / 13
1.3.0 9 / 13
1.2.1 9 / 12
1.0.6 8 / 12
1.0.1 9 / 2
1.0.0 9 / 2
0.1.3 6 / 0
0.1.1 6 / 1
0.0.8 6 / 1
0.0.6 6 / 1
0.0.5 6 / 1
0.0.4 6 / 1

v1.4.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.1

2 findings
HIGH Publisher changed: dylang → rarkins (on 2017-06-12) provenance

This version was published by a different npm account than previous versions on 2017-06-12. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.8

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.6

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.5

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.