← Home

collect-json

npm Repository Homepage

Returns a stream which becomes readable with a single value once all (valid) JSON is received.

13
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

75lb

Keywords

streamcollectalljsonbuffertransform

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:new-function-constructor AI (semgrep): new Function() in cli.js is intentional: it compiles a user-supplied CLI argument as a transform function body, which is the documented purpose of this CLI tool. Not a security risk in this context. ai
publish-pattern new-deps-added AI (publish-pattern): All 5 new deps are from the same trusted publisher (75lb) and are well-known streaming utility packages consistent with the package's purpose. ai
npm-metadata suspicious-initial-version AI (npm-metadata): 0.0.0 is a legitimate initial placeholder release by a well-established publisher with 1470 approved packages. Not indicative of malicious intent. ai
bogus-package bogus-package AI (bogus-package): Signals reflect an early/stub release of a real CLI utility by a trusted publisher with a long track record. Package has repo, bin entry, and test scripts. ai

Versions (showing 13 of 13)

Version Deps Published
1.0.9 3 / 2
1.0.8 3 / 2
1.0.7 3 / 2
1.0.6 3 / 2
1.0.5 3 / 2
1.0.4 3 / 2
1.0.3 3 / 2
1.0.2 3 / 2
1.0.1 3 / 2
1.0.0 5 / 2
0.1.1 5 / 2
0.1.0 5 / 2
0.0.0 0 / 0

v1.0.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.