corepack
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/lib/corepack.cjs | AI (source-diff): Encoded string is the llhttp WASM binary bundled from undici; expected in every corepack build. | ai | |
| provenance | publisher-changed | AI (provenance): nodejs/corepack migrated to GitHub Actions CI publishing; change is intentional and attested via SLSA provenance. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy reflects the nodejs-foundation → GitHub Actions transition, not account takeover; SLSA attestation confirms legitimate CI origin. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 0.35.0 | 0 / 20 | |
| 0.34.7 | 0 / 23 | |
| 0.34.6 | 0 / 23 | |
| 0.34.5 | 0 / 23 | |
| 0.34.4 | 0 / 23 | |
| 0.34.3 | 0 / 23 | |
| 0.34.2 | 0 / 23 | |
| 0.34.1 | 0 / 23 | |
| 0.34.0 | 0 / 23 | |
| 0.33.0 | 0 / 23 |
v0.35.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.34.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.34.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.34.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.34.4
3 findingsThis version was published by a different npm account than previous versions on 2025-11-14. This could indicate a legitimate maintainer transition or an account compromise.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.34.3
3 findingsThis version was published by a different npm account than previous versions on 2025-11-07. This could indicate a legitimate maintainer transition or an account compromise.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.34.2
3 findingsThis version was published by a different npm account than previous versions on 2025-11-02. This could indicate a legitimate maintainer transition or an account compromise.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.34.1
3 findingsThis version was published by a different npm account than previous versions on 2025-10-17. This could indicate a legitimate maintainer transition or an account compromise.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.34.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.