content-disposition
Create and parse Content-Disposition header
17
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
ulisesgasconblakeembreywesleytodddougwilson
Keywords
content-dispositionhttprfc6266res
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | suspicious-initial-version | AI (npm-metadata): 0.0.0 is the legitimate first release of this well-established jshttp package by dougwilson; not indicative of malicious intent. | ai | |
| provenance | no-provenance | AI (provenance): Package predates provenance attestation practices by many years; absence is expected and not a risk signal here. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change reflects documented Express.js/jshttp governance transition to ulisesgascon and team; legitimate maintainer handoff, not a compromise. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers (ulisesgascon, blakeembrey, wesleytodd) are known Express.js ecosystem contributors; this is a legitimate governance transition for the jshttp org. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy followed by new maintainer activity is consistent with the documented Express.js/jshttp maintainer transition; not indicative of account takeover. | ai |
Versions (showing 17 of 17)
| Version | Deps | Published |
|---|---|---|
| 2.0.1 | 0 / 4 | |
| 2.0.0 | 0 / 4 | |
| 1.1.0 | 0 / 8 | |
| 1.0.1 | 0 / 8 | |
| 1.0.0 | 1 / 10 | |
| 0.5.4 | 1 / 10 | |
| 0.5.3 | 1 / 10 | |
| 0.5.2 | 0 / 6 | |
| 0.5.1 | 0 / 2 | |
| 0.5.0 | 0 / 2 | |
| 0.4.0 | 0 / 2 | |
| 0.3.0 | 0 / 2 | |
| 0.2.0 | 0 / 2 | |
| 0.1.2 | 0 / 2 | |
| 0.1.1 | 0 / 2 | |
| 0.1.0 | 0 / 2 | |
| 0.0.0 | 0 / 2 |
v2.0.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.