file-entry-cache
A lightweight cache for file metadata, ideal for processes that work on a specific set of files and only need to reprocess files that have changed since the last run
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Package migrated to a TypeScript build pipeline (tsup) in a monorepo; missing gitHead is consistent with a changed CI/CD publish flow, not a security concern for this package. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is explained by migration to TypeScript with tsup build pipeline producing CJS+ESM+type declaration outputs in dist/. This is a structural change, not an injected payload. | ai | |
| source-diff | obfuscated-file:dist/index.js | AI (source-diff): dist/index.js is standard tsup --minify build output. Code is readable file-cache logic with no malicious patterns. This package ships minified CJS+ESM bundles by design. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): jaredwray is the legitimate new steward of the cacheable ecosystem (github.com/jaredwray/cacheable). 48 approved packages, 929 days history, no rejections. Transition is documented in the repo. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): royriojas transferred stewardship to jaredwray for the cacheable monorepo. Legitimate transition. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from royriojas to jaredwray is a documented legitimate transfer to the cacheable monorepo maintainer. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): jaredwray is a well-established npm publisher with a clean track record, taking over the cacheable ecosystem packages. | ai | |
| source-diff | obfuscated-file:dist/index.cjs | AI (source-diff): dist/index.cjs is standard tsup --minify build output. Code is readable file-cache logic with no malicious patterns. This package ships minified CJS+ESM bundles by design. | ai | |
| dependencies | unvetted-dep:flat-cache | AI (dependencies): flat-cache is a well-known caching library maintained by the same author (jaredwray) in the same cacheable monorepo; it is a legitimate and expected dependency for this package. | ai | |
| provenance | no-provenance | AI (provenance): Absence of Sigstore provenance is common (~88% of npm packages) and not a security concern for this package given its clean metadata and known repository. | ai |
Versions (showing 38 of 38)
| Version | Deps | Published |
|---|---|---|
| 11.1.3 | 1 / 3 | |
| 11.1.2 | 1 / 8 | |
| 11.1.1 | 1 / 8 | |
| 11.1.0 | 1 / 8 | |
| 11.0.0 | 1 / 8 | |
| 10.1.4 | 1 / 7 | |
| 10.1.3 | 1 / 7 | |
| 10.1.1 | 1 / 7 | |
| 10.1.0 | 1 / 7 | |
| 10.0.8 | 1 / 7 | |
| 10.0.7 | 1 / 7 | |
| 10.0.6 | 1 / 7 | |
| 10.0.5 | 1 / 7 | |
| 10.0.4 | 1 / 7 | |
| 10.0.3 | 1 / 7 | |
| 10.0.2 | 1 / 7 | |
| 10.0.1 | 1 / 7 | |
| 10.0.0 | 1 / 7 | |
| 9.1.0 | 1 / 8 | |
| 9.0.0 | 1 / 8 | |
| 8.0.0 | 1 / 11 | |
| 7.0.2 | 1 / 10 | |
| 7.0.1 | 1 / 11 | |
| 7.0.0 | 1 / 11 | |
| 6.0.1 | 1 / 15 | |
| 6.0.0 | 1 / 15 | |
| 5.0.1 | 1 / 16 | |
| 5.0.0 | 1 / 16 | |
| 4.0.0 | 1 / 16 | |
| 2.0.0 | 2 / 16 | |
| 1.3.1 | 2 / 16 | |
| 1.3.0 | 2 / 16 | |
| 1.2.4 | 2 / 17 | |
| 1.2.3 | 2 / 17 | |
| 1.2.0 | 2 / 17 | |
| 1.1.1 | 2 / 12 | |
| 1.0.1 | 2 / 12 | |
| 1.0.0 | 2 / 12 |
v11.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.1.0
6 findingsAll previous maintainers (royriojas) were replaced by new maintainers (jaredwray). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jaredwray.
This version was published by a different npm account than previous versions on 2025-10-13. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.0.0
6 findingsAll previous maintainers (royriojas) were replaced by new maintainers (jaredwray). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jaredwray.
This version was published by a different npm account than previous versions on 2025-10-11. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.4
4 findingsAll previous maintainers (royriojas) were replaced by new maintainers (jaredwray). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jaredwray.
This version was published by a different npm account than previous versions on 2025-08-17. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.3
4 findingsAll previous maintainers (royriojas) were replaced by new maintainers (jaredwray). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jaredwray.
This version was published by a different npm account than previous versions on 2025-07-23. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.1
4 findingsAll previous maintainers (royriojas) were replaced by new maintainers (jaredwray). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jaredwray.
This version was published by a different npm account than previous versions on 2025-06-08. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.0
4 findingsAll previous maintainers (royriojas) were replaced by new maintainers (jaredwray). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jaredwray.
This version was published by a different npm account than previous versions on 2025-05-06. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.8
4 findingsAll previous maintainers (royriojas) were replaced by new maintainers (jaredwray). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jaredwray.
This version was published by a different npm account than previous versions on 2025-04-05. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.7
4 findingsAll previous maintainers (royriojas) were replaced by new maintainers (jaredwray). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jaredwray.
This version was published by a different npm account than previous versions on 2025-03-03. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.6
4 findingsAll previous maintainers (royriojas) were replaced by new maintainers (jaredwray). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jaredwray.
This version was published by a different npm account than previous versions on 2025-01-27. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.5
4 findingsAll previous maintainers (royriojas) were replaced by new maintainers (jaredwray). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jaredwray.
This version was published by a different npm account than previous versions on 2024-12-27. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.4
4 findingsAll previous maintainers (royriojas) were replaced by new maintainers (jaredwray). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jaredwray.
This version was published by a different npm account than previous versions on 2024-11-24. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.3
4 findingsAll previous maintainers (royriojas) were replaced by new maintainers (jaredwray). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jaredwray.
This version was published by a different npm account than previous versions on 2024-11-23. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.2
4 findingsAll previous maintainers (royriojas) were replaced by new maintainers (jaredwray). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jaredwray.
This version was published by a different npm account than previous versions on 2024-11-10. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.1
4 findingsAll previous maintainers (royriojas) were replaced by new maintainers (jaredwray). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jaredwray.
This version was published by a different npm account than previous versions on 2024-10-27. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.0
4 findingsAll previous maintainers (royriojas) were replaced by new maintainers (jaredwray). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jaredwray.
This version was published by a different npm account than previous versions on 2024-10-04. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.0
3 findingsAll previous maintainers (royriojas) were replaced by new maintainers (jaredwray). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2024-08-27. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.0
4 findingsAll previous maintainers (royriojas) were replaced by new maintainers (jaredwray). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jaredwray.
This version was published by a different npm account than previous versions on 2024-05-24. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jaredwray.
v7.0.2
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jaredwray.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-11-16. This could indicate a legitimate maintainer transition or an account compromise.
v7.0.1
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jaredwray.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-10-06. This could indicate a legitimate maintainer transition or an account compromise.
v7.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-08-25. This could indicate a legitimate maintainer transition or an account compromise.
v6.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.