← Home

deep-equal

npm Repository Homepage

node's assert.deepEqual algorithm

22
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ljharb

Keywords

equalityequalcompare

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
npm-metadata suspicious-initial-version AI (npm-metadata): deep-equal 0.0.0 was published 14+ years ago by the well-known substack author; 0.0.0 was common versioning practice at that time, not a malware indicator. ai
license uncommon-license:MIT/X11 AI (license): MIT/X11 is an older but valid expression of the MIT license, consistently used across this package's history. ai
dependencies unvetted-dep:object-is AI (dependencies): object-is is a well-known ES6 polyfill package; legitimate dependency for deep-equal. ai
dependencies unvetted-dep:is-arguments AI (dependencies): is-arguments is a well-known ljharb utility package; legitimate dependency for deep-equal. ai
dependencies unvetted-dep:side-channel AI (dependencies): side-channel is a well-known ljharb utility package; legitimate dependency for deep-equal. ai
dependencies unvetted-dep:object.assign AI (dependencies): object.assign is a well-known ES6 polyfill package maintained by ljharb; legitimate dependency. ai
dependencies unvetted-dep:is-date-object AI (dependencies): is-date-object is a well-known ljharb utility package; legitimate dependency for deep-equal. ai
dependencies unvetted-dep:is-array-buffer AI (dependencies): is-array-buffer is a well-known inspect-js utility package; legitimate dependency for deep-equal. ai
dependencies unvetted-dep:is-regex AI (dependencies): is-regex is a well-known ljharb/inspect-js ecosystem package; legitimate dependency for deep-equal. ai
dependencies unvetted-dep:which-typed-array AI (dependencies): which-typed-array is a well-known inspect-js utility package; legitimate dependency for deep-equal. ai
dependencies unvetted-dep:which-boxed-primitive AI (dependencies): which-boxed-primitive is a well-known inspect-js utility package; legitimate dependency for deep-equal. ai
dependencies unvetted-dep:is-shared-array-buffer AI (dependencies): is-shared-array-buffer is a well-known inspect-js utility package; legitimate dependency for deep-equal. ai
dependencies unvetted-dep:regexp.prototype.flags AI (dependencies): regexp.prototype.flags is a well-known ES6 polyfill maintained by ljharb; legitimate dependency for deep-equal. ai
dependencies unvetted-dep:array-buffer-byte-length AI (dependencies): array-buffer-byte-length is a well-known inspect-js utility package; legitimate dependency for deep-equal. ai
provenance no-provenance AI (provenance): deep-equal is a long-established package (5183 days) from a reputable publisher; lack of Sigstore provenance is not a risk signal here. ai
dependencies unvetted-dep:which-collection AI (dependencies): which-collection is a well-known inspect-js utility package; legitimate dependency for deep-equal. ai
dependencies unvetted-dep:call-bind AI (dependencies): call-bind is a well-known ljharb utility package used throughout the inspect-js ecosystem; legitimate dependency. ai

Versions (showing 22 of 22)

Version Deps Published
2.2.3 18 / 16
2.2.2 18 / 15
2.2.1 18 / 13
2.2.0 17 / 13
2.1.0 15 / 13
2.0.5 15 / 11
2.0.4 14 / 11
2.0.3 14 / 11
2.0.2 13 / 11
2.0.1 12 / 10
1.1.2 6 / 13
1.1.1 6 / 5
1.1.0 6 / 3
1.0.1 0 / 1
1.0.0 0 / 1
0.2.2 0 / 1
0.2.1 0 / 1
0.2.0 0 / 1
0.1.2 0 / 1
0.1.1 0 / 2
0.1.0 0 / 2
0.0.0 0 / 1

v2.2.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.