empty-dir
Check if a directory is empty.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-takeover | AI (maintainer-change): Legitimate transfer to Gulp team (gulpjs org). phated (Blaine Bublitz) and contra are core Gulp maintainers listed as contributors. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from jonschlinkert to phated reflects intentional transfer to gulpjs org; phated is a highly trusted publisher. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): yocontra is an alternate npm username for the same person as contra (Tyler Kellen, Gulp contributor). Not a real maintainer change. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): contra and yocontra are the same person; removal of one alias while adding another is not a package takeover signal. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 3.0.0 | 0 / 7 | |
| 2.0.0 | 0 / 6 | |
| 1.0.0 | 0 / 1 | |
| 0.2.1 | 1 / 2 | |
| 0.2.0 | 1 / 2 | |
| 0.1.0 | 0 / 2 |
v3.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
3 findingsAll previous maintainers (jonschlinkert, tkellen) were replaced by new maintainers (contra, phated). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2018-12-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.