fs-extra
fs-extra contains methods that aren't included in the vanilla Node.js fs package. Such as recursive mkdir, copy, and remove.
51
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
jprichardsonryanzimmanidlou
Keywords
fsfilefile systemcopydirectoryextramkdirpmkdirmkdirsrecursivejsonreadwriteextradeleteremovetouchcreatetextoutputmovepromise
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:mocha | AI (dependencies): mocha is a well-known test framework mistakenly placed in dependencies in this early version; not a security risk for this package. | ai | |
| phantom-deps | phantom-dep:mocha | AI (phantom-deps): mocha is a dev/test tool declared but not directly imported; phantom-dep finding is a benign artifact of early package structure. | ai | |
| phantom-deps | phantom-dep:rimraf | AI (phantom-deps): rimraf is a well-known utility declared but not directly imported; no security concern for this package. | ai | |
| dependencies | unvetted-dep:path-is-absolute | AI (dependencies): path-is-absolute is a well-known, legitimate sindresorhus utility; its use in fs-extra for cross-platform path handling is expected and benign. | ai | |
| phantom-deps | phantom-dep:jasmine-node | AI (phantom-deps): jasmine-node is a test runner referenced only in config files; it's a misplaced devDependency, not a runtime security concern. Stable for this package. | ai | |
| phantom-deps | phantom-dep:coffee-script | AI (phantom-deps): coffee-script is a build/test tool referenced only in config files; misplaced devDependency with no runtime security impact. Stable for this package. | ai | |
| dependencies | unvetted-dep:jasmine-node | AI (dependencies): jasmine-node is a well-known test framework; phantom dep analysis confirms it's not imported at runtime. Risk is negligible for this package. | ai | |
| dependencies | unvetted-dep:coffee-script | AI (dependencies): coffee-script is a well-known transpiler; phantom dep analysis confirms it's not imported at runtime. Risk is negligible for this package. | ai | |
| dependencies | unvetted-dep:path-extra | AI (dependencies): path-extra is a companion utility by the same author (jprichardson); its use in fs-extra is expected and stable across versions. | ai | |
| phantom-deps | phantom-dep:path-extra | AI (phantom-deps): path-extra is a declared dependency in package.json; phantom-dep finding is a false positive for this package's usage pattern. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): jprichardson, ryanzim, and manidlou are the documented, legitimate maintainers of fs-extra. jprichardson is the original author; ryanzim has 3324 days of npm history with clean record. Not a hijack. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Diff baseline is v0.6.2 (ancient). fs-extra v11.x legitimately contains many more source files than v0.6.2 due to years of feature additions. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is entirely explained by comparing v11.3.4 to v0.6.2 across many major versions. No injected payload; growth is legitimate feature development. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependencies (mkdirp, ncp) are established packages semantically aligned with fs-extra's file system functionality; not a suspicious injection pattern. | ai | |
| provenance | publisher-changed | AI (provenance): ryanzim is a known co-maintainer of the official fs-extra project. Publisher transition from jp to ryanzim is a legitimate, documented handoff. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are the well-known, legitimate fs-extra team (jprichardson is the original author). No hijack signal. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): jp was an old npm account for the same author (JP Richardson); removal is part of a legitimate account consolidation. | ai | |
| dependencies | unvetted-dep:ncp | AI (dependencies): ncp is an established Node.js copy utility; appropriate for fs-extra's file system extension purpose. | ai | |
| dependencies | unvetted-dep:at-least-node | AI (dependencies): at-least-node is a legitimate, minimal Node.js version-check utility; its use in fs-extra for engine compatibility checks is benign and stable across versions. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance by many years; no provenance is expected and stable for all versions of this package. | ai |
Versions (showing 51 of 102)
| Version | Deps | Published |
|---|---|---|
| 11.3.5 | 3 / 8 | |
| 11.3.4 | 3 / 8 | |
| 11.3.3 | 3 / 8 | |
| 11.3.2 | 3 / 8 | |
| 11.3.1 | 3 / 8 | |
| 11.3.0 | 3 / 8 | |
| 11.2.0 | 3 / 8 | |
| 11.1.1 | 3 / 8 | |
| 11.1.0 | 3 / 8 | |
| 11.0.0 | 3 / 8 | |
| 10.1.0 | 3 / 9 | |
| 10.0.1 | 3 / 9 | |
| 10.0.0 | 3 / 10 | |
| 9.1.0 | 4 / 9 | |
| 9.0.1 | 4 / 9 | |
| 9.0.0 | 4 / 9 | |
| 8.1.0 | 3 / 10 | |
| 8.0.1 | 3 / 10 | |
| 8.0.0 | 3 / 10 | |
| 7.0.1 | 3 / 13 | |
| 7.0.0 | 3 / 13 | |
| 6.0.1 | 3 / 13 | |
| 6.0.0 | 3 / 13 | |
| 5.0.0 | 3 / 13 | |
| 4.0.3 | 3 / 13 | |
| 4.0.2 | 3 / 13 | |
| 4.0.1 | 3 / 13 | |
| 4.0.0 | 3 / 13 | |
| 3.0.1 | 3 / 12 | |
| 3.0.0 | 3 / 11 | |
| 2.1.2 | 2 / 11 | |
| 2.1.1 | 2 / 11 | |
| 2.1.0 | 2 / 11 | |
| 2.0.0 | 2 / 11 | |
| 1.0.0 | 3 / 10 | |
| 0.30.0 | 5 / 8 | |
| 0.29.0 | 4 / 8 | |
| 0.28.0 | 5 / 8 | |
| 0.27.0 | 5 / 8 | |
| 0.26.7 | 5 / 8 | |
| 0.26.6 | 5 / 8 | |
| 0.26.5 | 5 / 8 | |
| 0.26.4 | 5 / 8 | |
| 0.26.3 | 5 / 8 | |
| 0.26.2 | 5 / 8 | |
| 0.26.1 | 5 / 8 | |
| 0.26.0 | 5 / 8 | |
| 0.25.0 | 4 / 8 | |
| 0.24.0 | 4 / 8 | |
| 0.23.1 | 4 / 8 | |
| 0.23.0 | 4 / 8 |
v11.3.5
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.