get-stream — Greenflagged

Get a stream as a string, Buffer, ArrayBuffer or array

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

sindresorhusehmicky

Keywords

getstreampromiseconcatstringtextbufferreaddataconsumereadablereadablestreamobjectconcat

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): jamestalmage is a long-standing collaborator in the sindresorhus ecosystem; this 2016 publish is a legitimate collaboration, not a takeover.	ai	2026/04/21
maintainer-change	maintainer-added	AI (maintainer-change): jamestalmage added as maintainer in 2016; well-established npm account with 11 approved packages over ~10 years.	ai	2026/04/21
source-diff	source-size-tripled	AI (source-diff): Size increase from 1KB to 5KB reflects legitimate feature additions (TypeScript types, buffer-stream module) across multiple major versions; total size is trivially small.	ai	2026/04/21
publish-pattern	new-deps-added	AI (publish-pattern): pump is a well-known, legitimate stream utility; its addition to get-stream is architecturally appropriate and not a suspicious dependency.	ai	2026/04/21
dependencies	unvetted-dep:pinkie-promise	AI (dependencies): pinkie-promise is a well-known Promise polyfill for older Node.js, part of the sindresorhus ecosystem. Stable, benign dependency for this package.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Lack of Sigstore provenance is common across npm and not a blocker for established packages.	ai	2026/04/21
dependencies	unvetted-dep:pump	AI (dependencies): pump is a well-known stream utility; its use in get-stream is legitimate and stable.	ai	2026/04/21

Versions (showing 22 of 22)

Version	Deps	Published
9.0.1	2 / 7	2024-03-16
9.0.0	2 / 7	2024-03-15
8.0.1	0 / 6	2023-08-17
8.0.0	0 / 6	2023-08-16
7.0.1	0 / 5	2023-07-01
7.0.0	0 / 5	2023-05-26
6.0.1	0 / 5	2021-04-15
6.0.0	0 / 5	2020-08-10
5.2.0	1 / 5	2020-08-09
5.1.0	1 / 5	2019-04-05
5.0.0	1 / 5	2019-03-11
4.1.0	1 / 3	2018-10-02
4.0.0	1 / 3	2018-08-10
3.0.0	0 / 3	2016-11-23
2.3.1	2 / 4	2016-09-14
2.3.0	2 / 4	2016-06-07
2.2.1	2 / 4	2016-06-06
2.2.0	2 / 4	2016-04-30
2.1.0	1 / 4	2016-04-28
2.0.0	1 / 3	2016-03-03
1.1.0	0 / 3	2015-11-20
1.0.0	0 / 3	2015-10-14

v5.2.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.