← Home

funding

npm Repository Homepage

Get open source maintainers paid

5
Versions
MIT
License
Yes
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

feross

Keywords

fundingmaintainersopen sourcesustainability

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
bogus-package bogus-package AI (bogus-package): feross is a highly reputable publisher; this is a known placeholder/namespace package, not spam or malware. Signals are stable false positives for this package. ai
npm-metadata no-description AI (npm-metadata): Placeholder package by feross; missing description is consistent with a namespace reservation, not a throwaway malicious package. ai
npm-metadata suspicious-initial-version AI (npm-metadata): Version 0.0.0 reflects an intentional placeholder by a trusted publisher; not indicative of malicious intent for this package. ai
install-scripts install-script:install AI (install-scripts): The install script runs `node bin/funding.js`, which displays a funding message — the explicit, documented purpose of this package by trusted publisher feross. Stable and benign across all versions. ai
publish-pattern new-deps-added AI (publish-pattern): ci-info is a well-established CI detection package; its addition is clearly to suppress funding messages in CI environments — a legitimate and common pattern. ai
install-scripts install-script:postinstall AI (install-scripts): The postinstall script is the core feature of this package — it displays a funding message. This is intentional, documented behavior by a highly trusted publisher (feross). ai
dependencies unvetted-dep:term-size AI (dependencies): term-size is a legitimate Sindre Sorhus utility for terminal dimensions, appropriate for formatting the funding display message. ai

Versions (showing 5 of 5)

Version Deps Published
1.0.7 5 / 2
1.0.5 5 / 2
1.0.1 4 / 2
1.0.0 4 / 2
0.0.0 0 / 0

v1.0.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.1

2 findings
HIGH Package has 'install' script install-scripts

Script: node bin/funding.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.0

2 findings
HIGH Low-value / spam package indicators (6 signals, score 7) bogus-package

Matched 6 signal(s), weighted score 7: • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_DESC_MATCHES_NAME] Description is empty or just restates the package name. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere. • [S_NO_KEYWORDS] No keywords declared. • [S_NO_DEPS] No runtime, dev, peer, or optional dependencies declared. • [S_TINY_PAYLOAD] Tiny payload: 0 code file(s), 213 bytes total.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.