← Home

deepcopy

npm Repository Homepage

deep copy data

18
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

sasaplus1

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff net-exec-file:dist/deepcopy.mjs AI (source-diff): ESM bundle with inlined type-detect; standard Rollup output, no actual network calls. ai
source-diff net-exec-file:dist/deepcopy.min.mjs AI (source-diff): Minified ESM bundle with inlined type-detect; standard build output, no actual network or malicious exec. ai
source-diff net-exec-file:dist/deepcopy.js AI (source-diff): Standard Rollup UMD bundle output; UMD boilerplate and type-detect inline bundle trigger false positive on network+exec heuristics. ai
source-diff net-exec-file:dist/deepcopy.legacy.js AI (source-diff): Legacy Rollup bundle with core-js polyfills; Function('return this')() is standard global-this detection, not malicious exec. ai
source-diff net-exec-file:dist/deepcopy.legacy.min.js AI (source-diff): Minified version of the legacy bundle; same false positive pattern as the unminified variant. ai
source-diff net-exec-file:dist/deepcopy.min.js AI (source-diff): Minified UMD bundle; same false positive as deepcopy.js from UMD boilerplate patterns. ai
source-diff net-exec-file:umd/deepcopy.mjs AI (source-diff): ESM bundle with type-detect inlined; standard Rollup commonjs plugin patterns. ai
source-diff net-exec-file:umd/deepcopy.js AI (source-diff): Standard Rollup-generated UMD bundle; environment detection (global/self/window) + createCommonjsModule pattern triggers false positive. ai
source-diff net-exec-file:umd/deepcopy.legacy.js AI (source-diff): Standard Rollup UMD bundle with core-js polyfills; Function('return this')() is standard global access pattern. ai
source-diff net-exec-file:umd/deepcopy.legacy.min.js AI (source-diff): Minified version of the legacy UMD bundle; same false positive pattern as the unminified version. ai
source-diff net-exec-file:umd/deepcopy.min.js AI (source-diff): Minified UMD bundle; standard Rollup output with type-detect bundled inline. ai
source-diff net-exec-file:umd/deepcopy.min.mjs AI (source-diff): Minified ESM bundle; same standard bundler output patterns triggering false positive. ai

Versions (showing 18 of 18)

Version Deps Published
2.1.0 1 / 29
2.0.0 1 / 26
1.0.1 1 / 29
1.0.0 1 / 29
0.6.3 0 / 33
0.6.2 0 / 33
0.6.1 0 / 19
0.6.0 0 / 19
0.5.0 0 / 7
0.4.0 0 / 7
0.3.3 0 / 5
0.3.2 0 / 5
0.3.1 0 / 5
0.3.0 0 / 5
0.2.0 0 / 2
0.1.2 0 / 1
0.1.1 0 / 1
0.1.0 0 / 3

v2.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.0

7 findings
HIGH New file with network + code execution: umd/deepcopy.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: umd/deepcopy.legacy.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: umd/deepcopy.legacy.min.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: umd/deepcopy.min.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: umd/deepcopy.min.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: umd/deepcopy.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

7 findings
HIGH New file with network + code execution: dist/deepcopy.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/deepcopy.legacy.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/deepcopy.legacy.min.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/deepcopy.min.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/deepcopy.min.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/deepcopy.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.