depcheck-es6 — Greenflagged

Check dependencies in your node module

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

lijunlerumpl

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:dynamic-require	AI (semgrep): The dynamic require loads package.json from a user-supplied rootDir — this is core functionality for a dependency-checking tool, not an arbitrary module loading risk.	ai	2026/04/24
phantom-deps	phantom-dep:optimist	AI (phantom-deps): optimist is a CLI dependency referenced in config/scripts; not a security concern for this utility package.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): The added 'request' dependency is a well-known HTTP client consistent with the new web-report feature introduced in this version. No malicious indicators.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance by years; absence of attestation is expected for this legacy package and not a risk signal.	ai	2026/04/24
dependencies	unvetted-dep:request	AI (dependencies): The `request` package is a well-known HTTP library used for the web-report feature; its presence is consistent with the package's documented functionality.	ai	2026/04/23
bogus-package	bogus-package	AI (bogus-package): Package is 3869 days old with a clear purpose and GitHub repo; README quality signals are cosmetic and not indicative of spam or malicious intent.	ai	2026/04/23