file-type — Greenflagged

Detect the file type of a file, stream, or data

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

sindresorhus

Keywords

mimefiletypemagicarchiveimageimgpicpictureflashphotovideodetectcheckisexifelfmachoexebinarybufferuint8arrayjpgpngapnggifwebpflifxcfcr2cr3orfarwdngnefrw2raftifbmpicnsjxrpsdinddziptarrargzbz27zdmgmp4midmkvwebmmovavimpgmp2mp3m4aoggopusflacwavamrpdfepubmobiswfrtfwoffwoff2eotttfotfttcicoflvpsxzsqlitexpicabdebarrpmZlzcfbmxfmtswasmwebassemblyblendbpgdocxpptxxlsx3gpj2cjp2jpmjpxmj2aifodtodsodpxmlheicicsglbpcapdsflnkaliasvocac33g2m4bm4pm4vf4af4bf4pf4vmieqcpasfogvogmogaspxogxapewvcurnescrxktxdcmmpcarrowshpaacmp1its3mxmskpavifepslzhpgpasarstlchm3mfzstjxlvcfjlspstdwgparquetclassarjcpioaceavroiccfbxvsdxvttapkdrclz4potxxltxdotxxltmotsodgotgotpottxlsmdocmdotmpotmpptmjarjmprmsavppsmppsxtar.gzregdatkeynumberspages

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:is-exe	AI (dependencies): is-exe is a small sindresorhus-ecosystem utility for detecting EXE files; consistent with file-type's purpose of detecting file types from buffers.	ai	2026/04/23
dependencies	unvetted-dep:is-mp4	AI (dependencies): is-mp4 is a small utility for detecting MP4 files; consistent with file-type's purpose and sindresorhus's ecosystem pattern.	ai	2026/04/23
dependencies	unvetted-dep:is-swf	AI (dependencies): is-swf is a small utility for detecting SWF files; consistent with file-type's purpose and sindresorhus's ecosystem pattern.	ai	2026/04/23
dependencies	unvetted-dep:audio-type	AI (dependencies): audio-type is a small utility for detecting audio file types; consistent with file-type's purpose and sindresorhus's ecosystem pattern.	ai	2026/04/23
dependencies	unvetted-dep:is-pdf	AI (dependencies): is-pdf is a semantically appropriate dependency for a file-type detection library; consistent with the package's purpose and sindresorhus ecosystem.	ai	2026/04/23
dependencies	unvetted-dep:is-epub	AI (dependencies): is-epub is a semantically appropriate dependency for a file-type detection library; consistent with the package's purpose and sindresorhus ecosystem.	ai	2026/04/23
dependencies	unvetted-dep:strtok3	AI (dependencies): strtok3 is a well-known binary tokenizer library, a core long-standing dependency of file-type used for stream-based file parsing. Stable false positive.	ai	2026/04/23
dependencies	unvetted-dep:token-types	AI (dependencies): token-types is a companion library to strtok3 for binary token type definitions, a core long-standing dependency of file-type. Stable false positive.	ai	2026/04/23
dependencies	unvetted-dep:uint8array-extras	AI (dependencies): uint8array-extras is published by sindresorhus himself and is a legitimate utility library for Uint8Array operations used in file-type. Stable false positive.	ai	2026/04/23
dependencies	unvetted-dep:@tokenizer/inflate	AI (dependencies): @tokenizer/inflate is a decompression utility in the strtok3/tokenizer ecosystem, a legitimate core dependency for file-type's archive detection. Stable false positive.	ai	2026/04/23
semgrep	semgrep:eval-usage	AI (semgrep): eval('require') is a documented Webpack bundling workaround in sindresorhus/file-type; not a supply-chain risk. Stable false positive for this package.	ai	2026/04/23
provenance	no-provenance	AI (provenance): sindresorhus packages historically do not use Sigstore provenance; this is a stable pattern for this publisher and not a risk indicator.	ai	2026/04/21