engine-lodash
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher change from jonschlinkert to doowb occurred in 2015 and is a long-settled legitimate maintainer transition within the Assemble/jonschlinkert ecosystem. Both are well-known contributors. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): Package uses lazy-cache pattern; deps are declared but loaded on demand rather than directly imported. This is a known jonschlinkert pattern, not a real phantom dep issue. | ai | |
| phantom-deps | phantom-dep:ansi-red | AI (phantom-deps): Same lazy-cache pattern — declared deps loaded lazily, not directly imported at module top level. | ai | |
| phantom-deps | phantom-dep:engine-utils | AI (phantom-deps): Same lazy-cache pattern — declared deps loaded lazily, not directly imported at module top level. | ai | |
| phantom-deps | phantom-dep:delimiter-regex | AI (phantom-deps): Same lazy-cache pattern — declared deps loaded lazily, not directly imported at module top level. | ai | |
| provenance | no-provenance | AI (provenance): Package predates npm Sigstore provenance by years; absence is expected and not a risk signal for this package. | ai |
Versions (showing 20 of 20)
| Version | Deps | Published |
|---|---|---|
| 0.8.2 | 5 / 3 | |
| 0.8.0 | 5 / 3 | |
| 0.7.1 | 4 / 2 | |
| 0.7.0 | 6 / 2 | |
| 0.6.3 | 5 / 2 | |
| 0.6.2 | 5 / 2 | |
| 0.6.1 | 5 / 2 | |
| 0.5.0 | 5 / 2 | |
| 0.4.3 | 5 / 2 | |
| 0.4.2 | 5 / 2 | |
| 0.4.0 | 5 / 2 | |
| 0.3.5 | 6 / 4 | |
| 0.3.3 | 4 / 4 | |
| 0.3.2 | 4 / 4 | |
| 0.3.1 | 4 / 4 | |
| 0.3.0 | 4 / 4 | |
| 0.2.0 | 4 / 4 | |
| 0.1.2 | 4 / 4 | |
| 0.1.1 | 4 / 4 | |
| 0.1.0 | 4 / 4 |
v0.8.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.3
2 findingsThis version was published by a different npm account than previous versions on 2015-02-01. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.