detect-package-manager — Greenflagged

Detect which package manager you're using (yarn or npm)

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

egoistrem

Keywords

npmyarnpackage-managerdetectcheckpnpm

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): egoist is the documented author of this package (repo: egoist/detect-package-manager, author field matches). The account change from 'rem' to 'egoist' reflects a legitimate ownership consolidation, not a compromise.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): egoist is the package author per package.json; adding them as maintainer is expected and legitimate.	ai	2026/04/24
source-diff	source-size-tripled	AI (source-diff): Size increase from 1KB to 5KB is due to new dual ESM/CJS build output via tsup in a major version bump. Trivially small in absolute terms and consistent with the build script changes.	ai	2026/04/24

Versions (showing 8 of 8)

Version	Deps	Published
3.0.2	1 / 6	2024-05-05
3.0.1	1 / 6	2023-09-04
3.0.0	1 / 6	2023-09-04
2.0.1	1 / 6	2021-10-24
2.0.0	1 / 6	2021-10-24
1.1.0	2 / 3	2017-08-11
1.0.1	2 / 3	2017-08-11
1.0.0	2 / 3	2017-08-11