conventional-changelog — Greenflagged

Generate a changelog from git metadata.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

bcoeoss-botdangreenandytjoslinstevemaomarionebltapppi

Keywords

conventional-changelogconventionalchangeloglogcli

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-removed	AI (maintainer-change): Maintainer consolidation under oss-bot automation is a documented transition for the conventional-changelog org; removal of legacy maintainers is expected and not a takeover signal.	ai	2026/04/22
provenance	missing-githead	AI (provenance): Publisher changed to oss-bot (CI automation), which commonly omits gitHead. No malicious indicators; consistent with legitimate CI/CD publishing transition.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): Publisher change from stevemao to tommywo reflects a legitimate maintainer transition within the conventional-changelog GitHub org; tommywo has 111 approved packages and 6+ year npm history.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers are known contributors to the conventional-changelog GitHub organization; this is a legitimate organizational handoff, not a compromise.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): Both new deps (conventional-changelog-preset-loader, conventional-changelog-conventionalcommits) are part of the same conventional-changelog monorepo/org; legitimate feature additions.	ai	2026/04/22
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require() in cli.js is used to load user-supplied context files via CLI flags — an intentional, documented feature of this changelog CLI tool, not a security risk.	ai	2026/04/22
dependencies	unvetted-dep:conventional-changelog-eslint	AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package.	ai	2026/04/22
dependencies	unvetted-dep:conventional-changelog-atom	AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package.	ai	2026/04/22
dependencies	unvetted-dep:conventional-changelog-angular	AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package.	ai	2026/04/22
dependencies	unvetted-dep:conventional-changelog-core	AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package.	ai	2026/04/22
dependencies	unvetted-dep:conventional-changelog-conventionalcommits	AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package.	ai	2026/04/22
dependencies	unvetted-dep:conventional-changelog-codemirror	AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package.	ai	2026/04/22
dependencies	unvetted-dep:conventional-changelog-express	AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package.	ai	2026/04/22
dependencies	unvetted-dep:conventional-changelog-ember	AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Established package with strong publisher track record; lack of provenance is common and not a risk signal here.	ai	2026/04/22
dependencies	unvetted-dep:conventional-changelog-jshint	AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package.	ai	2026/04/22
dependencies	unvetted-dep:conventional-changelog-jquery	AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package.	ai	2026/04/22
semgrep	semgrep:child-process-exec	AI (semgrep): exec() calls are hardcoded git commands (e.g., 'git tag') needed for changelog generation — not dynamic input, not malicious.	ai	2026/04/22
semgrep	semgrep:child-process-import	AI (semgrep): Package generates changelogs by running git commands; child_process import is core to its documented purpose and not a security risk.	ai	2026/04/22
phantom-deps	phantom-dep:conventional-changelog-conventionalcommits	AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages.	ai	2026/04/22
phantom-deps	phantom-dep:conventional-changelog-atom	AI (phantom-deps): conventional-changelog is a meta-package; presets are loaded dynamically via preset-loader, not statically imported. Phantom-dep is a stable false positive for this package.	ai	2026/04/22
phantom-deps	phantom-dep:conventional-changelog-ember	AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages.	ai	2026/04/22
phantom-deps	phantom-dep:conventional-changelog-eslint	AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages.	ai	2026/04/22
phantom-deps	phantom-dep:conventional-changelog-jquery	AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages.	ai	2026/04/22
phantom-deps	phantom-dep:conventional-changelog-jshint	AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages.	ai	2026/04/22
phantom-deps	phantom-dep:conventional-changelog-angular	AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages.	ai	2026/04/22
phantom-deps	phantom-dep:conventional-changelog-express	AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages.	ai	2026/04/22
phantom-deps	phantom-dep:conventional-changelog-codemirror	AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages.	ai	2026/04/22
source-diff	obfuscated-file:dist/ConventionalChangelog.js	AI (source-diff): File is compiled/bundled ESM output with readable class definitions and changelog logic. Long lines are bundler artifacts, not obfuscation.	ai	2026/04/22
source-diff	obfuscated-file:dist/cli/cli.js	AI (source-diff): File is compiled/bundled ESM output, not obfuscated. Long lines are from bundler inlining; code is clearly readable CLI logic for conventional-changelog.	ai	2026/04/22
source-diff	obfuscated-file:dist/hostedGitInfo.mock.js	AI (source-diff): File is a test fixture/mock data file containing URL parsing test cases. Large size is due to data volume, not obfuscation.	ai	2026/04/22
source-diff	obfuscated-file:dist/hostedGitInfo.js	AI (source-diff): File is compiled/bundled ESM output with readable git hosting URL parsing logic. Long lines are bundler artifacts, not obfuscation.	ai	2026/04/22
phantom-deps	phantom-dep:@types/normalize-package-data	AI (phantom-deps): TypeScript types package; loaded by convention. Stable pattern for this package.	ai	2026/04/22
phantom-deps	phantom-dep:conventional-commits-parser	AI (phantom-deps): conventional-commits-parser is loaded dynamically via preset loader. Stable pattern for this package.	ai	2026/04/22
phantom-deps	phantom-dep:normalize-package-data	AI (phantom-deps): normalize-package-data is loaded dynamically for package metadata processing. Stable pattern for this package.	ai	2026/04/22
phantom-deps	phantom-dep:fd-package-json	AI (phantom-deps): fd-package-json is loaded dynamically for package.json discovery. Stable pattern for this package.	ai	2026/04/22
phantom-deps	phantom-dep:meow	AI (phantom-deps): meow is a CLI argument parser; dynamically loaded by CLI entry point. Stable pattern for this package.	ai	2026/04/22
phantom-deps	phantom-dep:conventional-changelog-preset-loader	AI (phantom-deps): conventional-changelog-preset-loader is loaded dynamically for preset discovery. Stable pattern for this package.	ai	2026/04/22
phantom-deps	phantom-dep:@conventional-changelog/git-client	AI (phantom-deps): @conventional-changelog/git-client is loaded dynamically for git operations. Stable pattern for this package.	ai	2026/04/22
phantom-deps	phantom-dep:conventional-changelog-writer	AI (phantom-deps): conventional-changelog-writer is loaded dynamically via preset loader. Stable pattern for this package.	ai	2026/04/22

Versions (showing 100 of 101)

Version	Deps	Published
7.2.0	9 / 0	2026-03-01
7.1.1	8 / 0	2025-07-10
7.1.0	8 / 0	2025-06-07
7.0.2	8 / 0	2025-05-22
7.0.1	8 / 0	2025-05-19
7.0.0	8 / 0	2025-05-19
6.0.0	11 / 0	2024-05-03
5.1.0	11 / 0	2023-09-08
5.0.0	11 / 0	2023-08-27
4.0.0	11 / 0	2023-06-06
3.1.25	11 / 0	2021-12-24
3.1.24	11 / 0	2020-11-05
3.1.23	11 / 0	2020-08-12
3.1.22	11 / 0	2020-06-20
3.1.21	11 / 0	2020-05-08
3.1.20	11 / 0	2020-05-08
3.1.19	11 / 0	2019-12-24
3.1.18	11 / 0	2019-12-15
3.1.17	11 / 0	2019-11-27
3.1.16	11 / 0	2019-11-21
3.1.15	11 / 0	2019-11-14
3.1.14	11 / 0	2019-11-07
3.1.13	11 / 0	2019-10-24
3.1.12	11 / 0	2019-10-03
3.1.10	11 / 0	2019-07-29
3.1.9	11 / 0	2019-05-18
3.1.8	11 / 0	2019-05-05
3.1.7	11 / 0	2019-05-02
3.1.6	11 / 0	2019-05-02
3.1.5	11 / 0	2019-04-26
3.1.4	11 / 0	2019-04-24
3.1.3	11 / 0	2019-04-11
3.1.2	11 / 0	2019-04-11
3.1.1	11 / 0	2019-04-11
3.0.6	10 / 0	2019-02-14
3.0.5	10 / 0	2018-11-01
3.0.4	10 / 0	2018-11-01
3.0.3	10 / 0	2018-11-01
3.0.2	10 / 0	2018-11-01
3.0.1	10 / 0	2018-11-01
2.0.3	11 / 2	2018-08-21
2.0.2	11 / 2	2018-08-21
2.0.1	11 / 2	2018-06-06
2.0.0	11 / 2	2018-05-29
1.1.24	11 / 2	2018-04-16
1.1.23	11 / 2	2018-03-28
1.1.22	11 / 2	2018-03-27
1.1.21	11 / 2	2018-03-27
1.1.20	11 / 2	2018-03-27
1.1.19	11 / 2	2018-03-22
1.1.18	11 / 2	2018-03-03
1.1.17	11 / 2	2018-02-24
1.1.16	11 / 7	2018-02-20
1.1.15	11 / 7	2018-02-13
1.1.14	11 / 7	2018-02-13
1.1.12	11 / 7	2018-02-12
1.1.11	10 / 7	2018-02-05
1.1.10	10 / 7	2018-01-29
1.1.7	10 / 7	2017-11-13
1.1.6	10 / 7	2017-10-01
1.1.5	10 / 7	2017-09-01
1.1.4	10 / 7	2017-03-23
1.1.3	10 / 7	2017-03-11
1.1.2	10 / 7	2017-03-11
1.1.1	10 / 7	2017-03-10
1.1.0	10 / 9	2016-02-13
1.0.1	10 / 9	2016-02-05
1.0.0	10 / 9	2016-02-05
0.5.3	16 / 9	2015-12-25
0.5.2	16 / 9	2015-12-23
0.5.1	16 / 9	2015-10-20
0.5.0	16 / 9	2015-09-30
0.4.3	14 / 9	2015-09-04
0.4.2	14 / 9	2015-08-17
0.4.1	14 / 9	2015-08-15
0.4.0	14 / 9	2015-08-15
0.3.2	14 / 9	2015-08-13
0.3.0	14 / 9	2015-08-09
0.2.1	14 / 8	2015-07-24
0.2.0	14 / 8	2015-07-24
0.1.3	14 / 8	2015-07-22
0.1.2	14 / 8	2015-07-22
0.1.1	14 / 8	2015-07-20
0.1.0	14 / 8	2015-07-20
0.0.17	5 / 5	2015-04-03
0.0.16	7 / 5	2015-03-19
0.0.15	7 / 5	2015-03-18
0.0.14	7 / 5	2015-03-13
0.0.13	7 / 5	2015-03-12
0.0.12	7 / 5	2015-03-12
0.0.11	2 / 3	2014-05-28
0.0.10	2 / 3	2014-05-28
0.0.9	2 / 3	2014-05-06
0.0.8	2 / 3	2014-04-10
0.0.7	2 / 3	2014-04-10
0.0.6	2 / 3	2014-01-23
0.0.5	2 / 3	2014-01-23
0.0.4	1 / 3	2014-01-04
0.0.3	1 / 3	2014-01-04
0.0.2	1 / 3	2014-01-04

Showing 100 of 101 Next page →

v6.0.0

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: oss-bot.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: bcoe → oss-bot (on 2024-05-03) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2024-05-03. This could indicate a legitimate maintainer transition or an account compromise.

v5.1.0

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: oss-bot.

HIGH Publisher changed: stevemao → oss-bot (on 2023-09-08) provenance

This version was published by a different npm account than previous versions on 2023-09-08. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.0

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: oss-bot.

HIGH Publisher changed: stevemao → oss-bot (on 2023-08-27) provenance

This version was published by a different npm account than previous versions on 2023-08-27. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.0

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: oss-bot.

HIGH Publisher changed: stevemao → oss-bot (on 2023-06-06) provenance

This version was published by a different npm account than previous versions on 2023-06-06. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.25

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: oss-bot.

HIGH Publisher changed: stevemao → oss-bot (on 2021-12-24) provenance

This version was published by a different npm account than previous versions on 2021-12-24. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.24

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2020-11-05) provenance

This version was published by a different npm account than previous versions on 2020-11-05. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.23

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2020-08-12) provenance

This version was published by a different npm account than previous versions on 2020-08-12. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.22

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2020-06-20) provenance

This version was published by a different npm account than previous versions on 2020-06-20. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.21

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2020-05-08) provenance

This version was published by a different npm account than previous versions on 2020-05-08. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.20

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2020-05-08) provenance

This version was published by a different npm account than previous versions on 2020-05-08. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.19

2 findings

HIGH Publisher changed: stevemao → tommywo (on 2019-12-24) provenance

This version was published by a different npm account than previous versions on 2019-12-24. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.18

2 findings

HIGH Publisher changed: stevemao → tommywo (on 2019-12-15) provenance

This version was published by a different npm account than previous versions on 2019-12-15. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.17

2 findings

HIGH Publisher changed: stevemao → tommywo (on 2019-11-27) provenance

This version was published by a different npm account than previous versions on 2019-11-27. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.16

2 findings

HIGH Publisher changed: stevemao → tommywo (on 2019-11-21) provenance

This version was published by a different npm account than previous versions on 2019-11-21. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.15

2 findings

HIGH Publisher changed: stevemao → tommywo (on 2019-11-14) provenance

This version was published by a different npm account than previous versions on 2019-11-14. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.14

2 findings

HIGH Publisher changed: stevemao → tommywo (on 2019-11-07) provenance

This version was published by a different npm account than previous versions on 2019-11-07. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.13

2 findings

HIGH Publisher changed: stevemao → tommywo (on 2019-10-24) provenance

This version was published by a different npm account than previous versions on 2019-10-24. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.12

2 findings

HIGH Publisher changed: stevemao → tommywo (on 2019-10-03) provenance

This version was published by a different npm account than previous versions on 2019-10-03. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.10

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2019-07-29) provenance

This version was published by a different npm account than previous versions on 2019-07-29. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.9

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2019-05-18) provenance

This version was published by a different npm account than previous versions on 2019-05-18. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.8

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2019-05-05) provenance

This version was published by a different npm account than previous versions on 2019-05-05. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.7

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2019-05-02) provenance

This version was published by a different npm account than previous versions on 2019-05-02. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.6

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2019-05-02) provenance

This version was published by a different npm account than previous versions on 2019-05-02. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.5

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2019-04-26) provenance

This version was published by a different npm account than previous versions on 2019-04-26. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.4

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2019-04-24) provenance

This version was published by a different npm account than previous versions on 2019-04-24. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.3

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2019-04-11) provenance

This version was published by a different npm account than previous versions on 2019-04-11. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.2

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2019-04-11) provenance

This version was published by a different npm account than previous versions on 2019-04-11. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.1

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2019-04-11) provenance

This version was published by a different npm account than previous versions on 2019-04-11. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.6

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2019-02-14) provenance

This version was published by a different npm account than previous versions on 2019-02-14. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.5

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2018-11-01) provenance

This version was published by a different npm account than previous versions on 2018-11-01. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.4

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2018-11-01) provenance

This version was published by a different npm account than previous versions on 2018-11-01. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.3

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2018-11-01) provenance

This version was published by a different npm account than previous versions on 2018-11-01. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.2

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2018-11-01) provenance

This version was published by a different npm account than previous versions on 2018-11-01. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.1

2 findings

HIGH Publisher changed: stevemao → bcoe (on 2018-11-01) provenance

This version was published by a different npm account than previous versions on 2018-11-01. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.3

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.

HIGH Publisher changed: stevemao → hbetts (on 2018-08-21) provenance

This version was published by a different npm account than previous versions on 2018-08-21. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.2

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.

HIGH Publisher changed: stevemao → hbetts (on 2018-08-21) provenance

This version was published by a different npm account than previous versions on 2018-08-21. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.1

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.

HIGH Publisher changed: stevemao → hbetts (on 2018-06-06) provenance

This version was published by a different npm account than previous versions on 2018-06-06. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.0

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.

HIGH Publisher changed: stevemao → hbetts (on 2018-05-29) provenance

This version was published by a different npm account than previous versions on 2018-05-29. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.24

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.

HIGH Publisher changed: stevemao → hbetts (on 2018-04-16) provenance

This version was published by a different npm account than previous versions on 2018-04-16. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.23

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.

HIGH Publisher changed: stevemao → hbetts (on 2018-03-28) provenance

This version was published by a different npm account than previous versions on 2018-03-28. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.22

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.

HIGH Publisher changed: stevemao → hbetts (on 2018-03-27) provenance

This version was published by a different npm account than previous versions on 2018-03-27. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.21

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.

HIGH Publisher changed: stevemao → hbetts (on 2018-03-27) provenance

This version was published by a different npm account than previous versions on 2018-03-27. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.20

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.

HIGH Publisher changed: stevemao → hbetts (on 2018-03-27) provenance

This version was published by a different npm account than previous versions on 2018-03-27. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.19

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.

HIGH Publisher changed: stevemao → hbetts (on 2018-03-22) provenance

This version was published by a different npm account than previous versions on 2018-03-22. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.18

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.

HIGH Publisher changed: stevemao → hbetts (on 2018-03-03) provenance

This version was published by a different npm account than previous versions on 2018-03-03. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.17

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.

HIGH Publisher changed: stevemao → hbetts (on 2018-02-24) provenance

This version was published by a different npm account than previous versions on 2018-02-24. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.16

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.

HIGH Publisher changed: stevemao → hbetts (on 2018-02-20) provenance

This version was published by a different npm account than previous versions on 2018-02-20. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.15

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: bcoe.

HIGH Publisher changed: stevemao → bcoe (on 2018-02-13) provenance

This version was published by a different npm account than previous versions on 2018-02-13. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.14

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: bcoe.

HIGH Publisher changed: stevemao → bcoe (on 2018-02-13) provenance

This version was published by a different npm account than previous versions on 2018-02-13. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.12

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.

HIGH Publisher changed: stevemao → hbetts (on 2018-02-12) provenance

This version was published by a different npm account than previous versions on 2018-02-12. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.11

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.

HIGH Publisher changed: stevemao → hbetts (on 2018-02-05) provenance

This version was published by a different npm account than previous versions on 2018-02-05. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.10

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.

HIGH Publisher changed: stevemao → hbetts (on 2018-01-29) provenance

This version was published by a different npm account than previous versions on 2018-01-29. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.7

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: stevemao.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.6

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: stevemao.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.5

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: stevemao.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.4

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: tapppi.

HIGH Publisher changed: stevemao → tapppi (on 2017-03-23) provenance

This version was published by a different npm account than previous versions on 2017-03-23. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.3

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: bcoe.

HIGH Publisher changed: stevemao → bcoe (on 2017-03-11) provenance

This version was published by a different npm account than previous versions on 2017-03-11. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.2

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: bcoe.

HIGH Publisher changed: stevemao → bcoe (on 2017-03-11) provenance

This version was published by a different npm account than previous versions on 2017-03-11. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.1

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: bcoe.

HIGH Publisher changed: stevemao → bcoe (on 2017-03-10) provenance

This version was published by a different npm account than previous versions on 2017-03-10. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.17

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.16

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.15

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.14

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.13

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.12

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.11

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.10

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.