cron — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

ncb000gtjodevsaintcreator

Keywords

cronnode cronnode-cronscheduleschedulercronjobcron job

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
email-domain	unclaimed-email:https://intcreator.com/	AI (email-domain): The 'email' field contains a URL rather than an email address — a metadata formatting issue, not a real unclaimed domain. The GitHub repo and maintainer identity are consistent and legitimate.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): intcreator is explicitly listed as a contributor in package.json; addition reflects a documented, legitimate maintainer transition.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): intcreator is a named contributor in package.json with 24 approved packages and 937 days of npm history — legitimate maintainer transition, not a takeover.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): luxon replaces moment-timezone as a well-known, trusted date/time library. This is a documented dependency modernization, not a suspicious addition.	ai	2026/04/24
phantom-deps	phantom-dep:@types/luxon	AI (phantom-deps): @types/luxon is a TypeScript type package legitimately listed as a runtime dep because cron ships TypeScript declarations. This pattern is stable for this package.	ai	2026/04/24
semgrep	semgrep:child-process-import	AI (semgrep): cron legitimately uses child_process to spawn scheduled jobs — this is core functionality of the package, not a malicious indicator.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance; absence is expected for this age and ecosystem context.	ai	2026/04/24

Versions (showing 33 of 33)

Version	Deps	Published
4.4.0	2 / 29	2025-12-09
4.3.5	2 / 29	2025-11-30
4.3.4	2 / 29	2025-11-06
4.3.3	2 / 30	2025-08-01
4.3.2	2 / 30	2025-07-13
4.3.1	2 / 30	2025-05-29
4.3.0	2 / 30	2025-04-15
4.2.0	2 / 30	2025-04-14
4.1.4	2 / 30	2025-04-06
4.1.3	2 / 30	2025-03-28
4.1.2	2 / 30	2025-03-28
4.1.1	2 / 29	2025-03-26
4.1.0	2 / 28	2025-02-24
4.0.0	2 / 28	2025-02-19
3.5.0	2 / 28	2025-01-10
3.4.0	2 / 28	2025-01-09
3.3.2	2 / 28	2024-12-30
3.3.1	2 / 28	2024-12-12
3.3.0	2 / 28	2024-12-10
3.2.1	2 / 27	2024-11-12
3.2.0	2 / 26	2024-11-12
3.1.9	2 / 26	2024-11-04
3.1.8	2 / 26	2024-10-29
3.1.7	2 / 26	2024-04-08
3.1.6	2 / 26	2023-10-29
3.1.5	2 / 26	2023-10-26
3.1.4	2 / 25	2023-10-24
3.1.3	2 / 25	2023-10-19
3.1.2	2 / 25	2023-10-19
3.1.1	2 / 25	2023-10-12
3.1.0	2 / 25	2023-10-09
3.0.0	2 / 25	2023-09-30
1.7.0	1 / 12	2019-03-10

v4.4.0

2 findings

HIGH Unclaimed maintainer email domain: https://intcreator.com/ email-domain

Maintainer email 'https://intcreator.com/' uses domain 'https://intcreator.com/' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.3.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.3.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.3.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.1.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.1.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.1.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.1.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.1.7

2 findings

HIGH Publisher changed: ncb000gt → intcreator (on 2024-04-08) provenance

This version was published by a different npm account than previous versions on 2024-04-08. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.6

2 findings

HIGH Publisher changed: ncb000gt → intcreator (on 2023-10-29) provenance

This version was published by a different npm account than previous versions on 2023-10-29. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.5

2 findings

HIGH Publisher changed: ncb000gt → intcreator (on 2023-10-26) provenance

This version was published by a different npm account than previous versions on 2023-10-26. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.4

2 findings

HIGH Publisher changed: ncb000gt → intcreator (on 2023-10-24) provenance

This version was published by a different npm account than previous versions on 2023-10-24. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.3

2 findings

HIGH Publisher changed: ncb000gt → intcreator (on 2023-10-19) provenance

This version was published by a different npm account than previous versions on 2023-10-19. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.2

2 findings

HIGH Publisher changed: ncb000gt → intcreator (on 2023-10-19) provenance

This version was published by a different npm account than previous versions on 2023-10-19. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.1

2 findings

HIGH Publisher changed: ncb000gt → intcreator (on 2023-10-12) provenance

This version was published by a different npm account than previous versions on 2023-10-12. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.0

2 findings

HIGH Publisher changed: ncb000gt → intcreator (on 2023-10-09) provenance

This version was published by a different npm account than previous versions on 2023-10-09. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.0

2 findings

HIGH Publisher changed: ncb000gt → intcreator (on 2023-09-30) provenance

This version was published by a different npm account than previous versions on 2023-09-30. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.7.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.