cheerio-select — Greenflagged

CSS selector engine supporting jQuery selectors

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

mattmuellerfeedic

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-added	AI (maintainer-change): feedic (fb55) is the canonical maintainer of the cheeriojs ecosystem; legitimate transfer.	ai	2026/04/24
source-diff	source-size-tripled	AI (source-diff): Major version rewrite (0.0.3→2.0.0) with TypeScript build output; size increase is expected.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): feedic is Felix Boehm (fb55), the cheeriojs org maintainer. Legitimate publisher transition for this ecosystem.	ai	2026/04/24
dependencies	unvetted-dep:domutils	AI (dependencies): domutils is a core cheerio-ecosystem package by the same author (fb55/feedic); widely used, no malicious signals.	ai	2026/04/23
dependencies	unvetted-dep:domelementtype	AI (dependencies): domelementtype is a core cheerio-ecosystem package by the same author (fb55/feedic); widely used, no malicious signals.	ai	2026/04/23
dependencies	unvetted-dep:css-select	AI (dependencies): css-select is a core cheerio-ecosystem package by the same author (fb55/feedic); widely used, no malicious signals.	ai	2026/04/23
dependencies	unvetted-dep:boolbase	AI (dependencies): boolbase is a canonical cheerio-ecosystem dependency by the same author (fb55/feedic); widely used, no malicious signals.	ai	2026/04/23
dependencies	unvetted-dep:css-what	AI (dependencies): css-what is a core cheerio-ecosystem package by the same author (fb55/feedic); millions of weekly downloads, no malicious signals.	ai	2026/04/23
dependencies	unvetted-dep:CSSselect	AI (dependencies): CSSselect is the intentional and expected CSS selector dependency for cheerio-select; its use is stable and legitimate across all versions of this package.	ai	2026/04/23
phantom-deps	phantom-dep:domelementtype	AI (phantom-deps): domelementtype is a legitimate cheeriojs ecosystem dep declared for type/indirect usage; not a phantom dependency in any malicious sense.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Established cheeriojs package by known author fb55; lack of Sigstore provenance is common and not a risk signal here.	ai	2026/04/21

Versions (showing 9 of 9)

Version	Deps	Published
2.1.0	6 / 12	2022-05-16
2.0.0	6 / 12	2022-04-30
1.6.0	5 / 11	2022-03-28
1.5.0	5 / 11	2021-06-07
1.4.0	5 / 11	2021-04-16
1.3.0	5 / 11	2021-04-08
1.2.0	5 / 11	2021-02-11
1.1.0	5 / 11	2021-01-07
1.0.0	5 / 11	2020-12-25

v2.0.0

2 findings

HIGH Publisher changed: mattmueller → feedic (on 2022-04-30) provenance

This version was published by a different npm account than previous versions on 2022-04-30. This could indicate a legitimate maintainer transition or an account compromise.