← Home

collections

npm Repository Homepage

data structures with idiomatic JavaScript collection interfaces

76
Versions
BSD-3-Clause
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

aadsmhthetiotfrancoisfrischmarchantkriskowalstukcdebost

Keywords

collectionsdata structuresobservablelistsetmapsplay

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Publisher change from marchant to hthetiot occurred in 2017 (~8 years ago); hthetiot has a strong track record (178 approved packages). This is a historical, legitimate transition. ai
maintainer-change maintainer-added AI (maintainer-change): hthetiot was added as maintainer in 2017 as part of the same legitimate transition; not a new or suspicious change. ai
email-domain unclaimed-email:montagestudio.com AI (email-domain): MontageStudio was a real company that shut down; the lapsed domain belongs to a contributor (Benoit Marchant), not the current publisher. Low active exploit risk for this established package. ai

Versions (showing 76 of 76)

Version Deps Published
5.1.13 1 / 16
5.1.12 1 / 16
5.1.11 1 / 16
5.1.10 1 / 16
5.1.9 1 / 15
5.1.8 1 / 15
5.1.7 1 / 15
5.1.6 1 / 15
5.1.5 1 / 15
5.1.4 1 / 15
5.1.3 1 / 15
5.1.2 1 / 15
5.1.1 1 / 13
5.1.0 1 / 13
5.0.7 1 / 13
5.0.6 1 / 3
5.0.5 1 / 3
5.0.4 1 / 3
5.0.3 1 / 3
5.0.2 1 / 3
5.0.1 1 / 3
5.0.0 1 / 3
3.0.0 1 / 3
2.0.3 14 / 4
2.0.2 14 / 4
2.0.1 1 / 4
1.2.4 1 / 3
1.2.3 1 / 3
1.2.2 1 / 3
1.2.1 1 / 3
1.2.0 1 / 3
1.1.0 1 / 3
1.0.2 1 / 3
1.0.1 1 / 3
1.0.0 1 / 3
0.2.2 1 / 3
0.2.1 1 / 3
0.2.0 1 / 3
0.1.24 1 / 3
0.1.23 0 / 3
0.1.22 0 / 3
0.1.21 0 / 3
0.1.20 0 / 3
0.1.19 0 / 3
0.1.18 0 / 3
0.1.17 0 / 3
0.1.16 0 / 3
0.1.15 0 / 3
0.1.14 0 / 3
0.1.13 0 / 3
0.1.12 0 / 3
0.1.11 0 / 3
0.1.10 0 / 3
0.1.9 0 / 3
0.1.8 0 / 3
0.1.7 0 / 3
0.1.6 0 / 3
0.1.5 0 / 3
0.1.4 0 / 3
0.1.3 0 / 3
0.1.2 0 / 3
0.1.1 0 / 3
0.1.0 0 / 3
0.0.13 0 / 1
0.0.12 0 / 1
0.0.11 0 / 1
0.0.10 0 / 1
0.0.9 0 / 1
0.0.8 0 / 1
0.0.7 0 / 1
0.0.6 0 / 1
0.0.5 0 / 1
0.0.4 0 / 1
0.0.3 0 / 1
0.0.2 0 / 0
0.0.1 0 / 0

v5.1.13

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.1.12

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: cdebost → marchant (on 2020-09-25) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2020-09-25. This could indicate a legitimate maintainer transition or an account compromise.

v5.1.11

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: marchant → cdebost (on 2020-04-24) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2020-04-24. This could indicate a legitimate maintainer transition or an account compromise.

v5.1.10

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: cdebost → marchant (on 2020-04-07) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2020-04-07. This could indicate a legitimate maintainer transition or an account compromise.

v5.1.9

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: marchant → cdebost (on 2019-06-04) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2019-06-04. This could indicate a legitimate maintainer transition or an account compromise.

v5.1.8

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: marchant → cdebost (on 2019-02-07) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2019-02-07. This could indicate a legitimate maintainer transition or an account compromise.

v5.1.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.1.6

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: hthetiot → marchant (on 2018-12-19) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2018-12-19. This could indicate a legitimate maintainer transition or an account compromise.

v5.1.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.1.4

2 findings
HIGH Unclaimed maintainer email domain: montagestudio.com email-domain

Maintainer email '[email protected]' uses domain 'montagestudio.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.1.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.1.2

2 findings
HIGH Unclaimed maintainer email domain: montagestudio.com email-domain

Maintainer email '[email protected]' uses domain 'montagestudio.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.1.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.1.0

3 findings
HIGH Publisher changed: marchant → hthetiot (on 2017-12-07) provenance

This version was published by a different npm account than previous versions on 2017-12-07. This could indicate a legitimate maintainer transition or an account compromise.

HIGH Unclaimed maintainer email domain: montagestudio.com email-domain

Maintainer email '[email protected]' uses domain 'montagestudio.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.7

3 findings
HIGH Publisher changed: marchant → hthetiot (on 2017-07-28) provenance

This version was published by a different npm account than previous versions on 2017-07-28. This could indicate a legitimate maintainer transition or an account compromise.

HIGH Unclaimed maintainer email domain: montagestudio.com email-domain

Maintainer email '[email protected]' uses domain 'montagestudio.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.2

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: kriskowal → marchant (on 2016-06-25) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2016-06-25. This could indicate a legitimate maintainer transition or an account compromise.

v5.0.1

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: kriskowal → marchant (on 2016-06-18) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2016-06-18. This could indicate a legitimate maintainer transition or an account compromise.

v5.0.0

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: kriskowal → marchant (on 2016-06-08) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2016-06-08. This could indicate a legitimate maintainer transition or an account compromise.