contra — Greenflagged

Asynchronous flow control with a functional taste to it

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

bevacqua

Keywords

aasyncasynchronouscontrolflowgeneratorpromisesq

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:dynamic-require	AI (semgrep): Fires in vendored bower_components/mocha test bundle, not in library runtime code. Standard pattern in browser-targeted test runners; no risk to consumers.	ai	2026/04/24
semgrep	semgrep:child-process-import	AI (semgrep): child_process usage is in gulpfile.js (dev build script only) to run npm publish — a standard build automation pattern with no runtime impact on consumers.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Established package with 4479-day history and 296k weekly downloads; lack of Sigstore provenance is common and not a risk signal for this package.	ai	2026/04/24
dependencies	unvetted-dep:atoa	AI (dependencies): atoa is a tiny, stable utility by the same author (bevacqua) and has been a long-standing dependency of contra. No risk generalizes across versions.	ai	2026/04/23
publish-pattern	rapid-publish	AI (publish-pattern): contra uses an automated deployment script that bumps version and publishes in sequence; rapid publish is expected behavior for this package.	ai	2026/04/23

Versions (showing 51 of 62)

View all versions

Version	Deps	Published
1.9.4	2 / 7	2016-05-20
1.9.3	2 / 7	2016-05-20
1.9.1	2 / 7	2015-07-03
1.9.0	2 / 7	2015-07-02
1.8.1	0 / 16	2015-05-04
1.8.0	0 / 16	2015-01-13
1.7.0	0 / 16	2014-11-19
1.6.10	0 / 16	2014-08-17
1.6.9	0 / 16	2014-08-17
1.6.8	0 / 16	2014-07-22
1.6.7	0 / 16	2014-07-18
1.6.6	0 / 16	2014-07-09
1.6.4	0 / 16	2014-07-07
1.6.3	0 / 16	2014-05-19
1.6.2	0 / 16	2014-05-19
1.6.1	0 / 16	2014-05-15
1.6.0	0 / 16	2014-05-15
1.5.6	0 / 16	2014-05-07
1.5.5	0 / 16	2014-05-07
1.5.4	0 / 16	2014-04-02
1.5.2	0 / 16	2014-04-01
1.5.1	1 / 15	2014-03-02
1.5.0	1 / 15	2014-02-21
1.4.8	1 / 15	2014-02-21
1.4.5	1 / 15	2014-02-21
1.4.4	1 / 15	2014-02-21
1.4.3	0 / 15	2014-02-13
1.4.1	0 / 15	2014-02-11
1.4.0	0 / 15	2014-02-05
1.3.2	0 / 15	2014-02-05
1.3.1	0 / 15	2014-02-05
1.3.0	0 / 15	2014-02-05
1.2.2	0 / 15	2014-01-31
1.2.1	0 / 15	2014-01-31
1.2.0	0 / 15	2014-01-31
1.1.2	0 / 15	2014-01-31
1.1.1	0 / 15	2014-01-27
1.1.0	0 / 15	2014-01-24
1.0.31	0 / 15	2014-01-23
1.0.30	0 / 15	2014-01-22
1.0.29	0 / 15	2014-01-20
1.0.28	0 / 15	2014-01-20
1.0.27	0 / 15	2014-01-20
1.0.26	0 / 15	2014-01-20
1.0.25	0 / 15	2014-01-20
1.0.24	0 / 15	2014-01-20
1.0.23	0 / 15	2014-01-20
1.0.22	0 / 15	2014-01-20
1.0.21	0 / 15	2014-01-19
1.0.20	0 / 15	2014-01-19
1.0.19	0 / 15	2014-01-19

v1.9.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.