deno
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | rapid-publish | AI (publish-pattern): Deno releases are automated via CI; rapid successive publishes are normal for this package. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Official denoland/deno package with SLSA provenance; release cadence gaps are normal for a major runtime project. | ai | |
| provenance | publisher-changed | AI (provenance): Deno project migrated to GitHub Actions-based publishing with SLSA provenance. The publisher change from denobot to GitHub Actions is a documented, legitimate pipeline transition. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of dsherret is consistent with the denoland org's shift to automated GitHub Actions publishing. SLSA attestation confirms legitimate provenance. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Deno's postinstall installs platform-specific prebuilt binaries from optional deps — standard binary distribution pattern, stable across versions. | ai | |
| typosquat | typosquat.levenshtein:pino | AI (typosquat): Deno is a major JS/TS runtime with no relation to pino; Levenshtein proximity is coincidental. Not a typosquat. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is used in bin.cjs to launch the installed Deno binary — core functionality of a runtime wrapper package. | ai | |
| semgrep | semgrep:child-process-execsync | AI (semgrep): execSync is used to detect glibc version for platform binary selection — benign and expected for cross-platform binary distribution. | ai |
Versions (showing 18 of 18)
| Version | Deps | Published |
|---|---|---|
| 2.8.1 | 0 / 0 | |
| 2.7.14 | 0 / 0 | |
| 2.7.13 | 0 / 0 | |
| 2.7.12 | 0 / 0 | |
| 2.7.9 | 0 / 0 | |
| 2.7.8 | 0 / 0 | |
| 2.7.7 | 0 / 0 | |
| 2.5.5 | 0 / 0 | |
| 2.4.4 | 0 / 0 | |
| 2.4.3 | 0 / 0 | |
| 2.4.1 | 0 / 0 | |
| 2.4.0 | 0 / 0 | |
| 2.3.1 | 0 / 0 | |
| 2.2.15 | 0 / 0 | |
| 2.2.14 | 0 / 0 | |
| 2.2.13 | 0 / 0 | |
| 2.2.12 | 0 / 0 | |
| 2.1.14 | 0 / 0 |
v2.8.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.13
2 findingsScript: node ./install.cjs
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.12
2 findingsThis version was published by a different npm account than previous versions on 2026-04-09. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.9
2 findingsThis version was published by a different npm account than previous versions on 2026-03-27. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.8
2 findingsThis version was published by a different npm account than previous versions on 2026-03-25. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.7
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-19. This could indicate a legitimate maintainer transition or an account compromise.
v2.5.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.4.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.4.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.4.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.3.1
2 findingsScript: node ./install.cjs
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.