externality
[![npm version][npm-version-src]][npm-version-href] [![npm downloads][npm-downloads-src]][npm-downloads-href] [![Github Actions][github-actions-src]][github-actions-href] [![Codecov][codecov-src]][codecov-href] [![bundle][bundle-src]][bundle-href]
16
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
pi0danielroe
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): danielroe → pi0 is a known, legitimate transfer within the Nuxt/UnJS core team. Both publishers are well-established and trusted in the ecosystem. | ai | |
| dependencies | unvetted-dep:mlly | AI (dependencies): mlly is a core UnJS ecosystem package used throughout the unjs org; its presence in externality is expected and legitimate. | ai | |
| dependencies | unvetted-dep:enhanced-resolve | AI (dependencies): enhanced-resolve is webpack's well-established module resolver; its use in a module-externals package is entirely expected. | ai | |
| phantom-deps | phantom-dep:upath | AI (phantom-deps): upath is declared but not directly imported; only referenced in config files. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:allowlist | AI (phantom-deps): allowlist is declared but not directly imported; only referenced in config files. Stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Already marked as accepted risk; danielroe's packages consistently lack Sigstore provenance and have all been approved. | ai |