copy
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:bluebird | AI (phantom-deps): bluebird is a legitimate promise library; phantom detection likely reflects indirect use or config-level reference in a 2015-era package. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from mjor to jonschlinkert is a documented legitimate transfer; jonschlinkert has strong track record and owns the GitHub repo. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): doowb and jonschlinkert are known trusted maintainers in the assemble/jonschlinkert ecosystem. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): mjor published only a stub v0.0.1; removal is consistent with a legitimate transfer to the package's actual developer. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase from stub (2KB) to full implementation (14KB) is expected; package went from near-empty to a functional file-copy utility with CLI, glob, and promise support. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): jonschlinkert is a highly trusted publisher (1961 approved packages). Transfer from mjor (stub author) to jonschlinkert is a legitimate ecosystem handoff, not a hijack. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): Version 0.0.0 on a 4949-day-old package with 13 registry versions is a historical artifact, not a malicious indicator. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Package is a 14-year-old stub with 13 versions; bogus-package signals reflect its placeholder nature, not malicious intent. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): 'copy' is a legitimate, well-established file-copy utility with no relation to 'cors'. The name similarity is purely coincidental; no impersonation intent. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 0.3.2 | 14 / 10 | |
| 0.3.1 | 14 / 10 | |
| 0.3.0 | 14 / 10 | |
| 0.2.3 | 13 / 10 | |
| 0.2.2 | 13 / 9 | |
| 0.2.1 | 13 / 9 | |
| 0.2.0 | 13 / 8 | |
| 0.1.3 | 7 / 3 | |
| 0.1.2 | 7 / 3 | |
| 0.1.1 | 8 / 3 | |
| 0.1.0 | 7 / 3 | |
| 0.0.1 | 0 / 0 | |
| 0.0.0 | 0 / 0 |
v0.3.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.1
3 findingsAll previous maintainers (mjor) were replaced by new maintainers (jonschlinkert, doowb). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2017-09-01. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
3 findingsAll previous maintainers (mjor) were replaced by new maintainers (doowb, jonschlinkert). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2016-07-26. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.3
3 findingsAll previous maintainers (mjor) were replaced by new maintainers (doowb, jonschlinkert). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2016-06-20. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.2
3 findingsAll previous maintainers (mjor) were replaced by new maintainers (doowb, jonschlinkert). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2016-06-19. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
3 findingsAll previous maintainers (mjor) were replaced by new maintainers (doowb, jonschlinkert). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2016-06-19. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
3 findingsAll previous maintainers (mjor) were replaced by new maintainers (doowb, jonschlinkert). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2016-03-23. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
3 findingsAll previous maintainers (mjor) were replaced by new maintainers (doowb, jonschlinkert). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2015-11-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
3 findingsAll previous maintainers (mjor) were replaced by new maintainers (doowb, jonschlinkert). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2015-07-03. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.