engine
Template engine based on Lo-Dash template, but adds features like the ability to register helpers and more easily set data to be used as context in templates.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:get-value | AI (phantom-deps): lazy-cache pattern causes static phantom-dep false positives in this package; dependency is legitimately used at runtime. | ai | |
| phantom-deps | phantom-dep:set-value | AI (phantom-deps): lazy-cache pattern causes static phantom-dep false positives in this package; dependency is legitimately used at runtime. | ai | |
| phantom-deps | phantom-dep:collection-visit | AI (phantom-deps): lazy-cache pattern causes static phantom-dep false positives in this package; dependency is legitimately used at runtime. | ai | |
| phantom-deps | phantom-dep:assign-deep | AI (phantom-deps): lazy-cache pattern causes static phantom-dep false positives in this package; dependency is legitimately used at runtime. | ai | |
| phantom-deps | phantom-dep:object.omit | AI (phantom-deps): lazy-cache pattern causes static phantom-dep false positives in this package; dependency is legitimately used at runtime. | ai | |
| phantom-deps | phantom-dep:kind-of | AI (phantom-deps): jonschlinkert packages use lazy-cache for deferred requires; static analysis cannot detect dynamic requires, making this a stable false positive. | ai | |
| source-diff | net-exec-file:index.js | AI (source-diff): index.js is a legitimate template engine implementation; require() calls are not network calls and the constructor pattern is not dynamic code execution. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:lazy-cache | AI (phantom-deps): lazy-cache is likely used indirectly via lib/utils.js; phantom-dep detection doesn't account for indirect imports in utility modules. | ai | |
| phantom-deps | phantom-dep:shallow-clone | AI (phantom-deps): shallow-clone is likely used indirectly via lib/utils.js; same pattern as lazy-cache false positive. | ai | |
| provenance | publisher-changed | AI (provenance): The package.json has always attributed authorship to jonschlinkert; the 2016 publisher change reflects a legitimate transfer to the original author. No malicious signals accompany it. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 1.0.0 | 1 / 2 | |
| 0.1.12 | 7 / 10 | |
| 0.1.11 | 7 / 9 | |
| 0.1.10 | 7 / 9 | |
| 0.1.9 | 7 / 9 | |
| 0.1.8 | 7 / 9 | |
| 0.1.7 | 7 / 9 | |
| 0.1.6 | 7 / 9 | |
| 0.1.5 | 5 / 9 | |
| 0.1.4 | 3 / 8 | |
| 0.1.3 | 3 / 8 | |
| 0.1.2 | 4 / 7 | |
| 0.1.1 | 5 / 7 | |
| 0.0.10 | 0 / 2 |
v1.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.12
2 findingsThis version was published by a different npm account than previous versions on 2016-07-19. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.9
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2015-12-17. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.