globby
User-friendly glob matching
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:dir-glob | AI (dependencies): dir-glob is a legitimate sindresorhus package; this is a stable false positive for globby across all versions. | ai | |
| phantom-deps | phantom-dep:@types/glob | AI (phantom-deps): @types/glob is intentionally listed as a runtime dep for TypeScript type re-export; not a phantom dep in the malicious sense. | ai | |
| typosquat | typosquat.levenshtein:glob | AI (typosquat): globby is a long-established, distinct package from glob — not a typosquat. Levenshtein proximity is a stable false positive for this package. | ai | |
| dependencies | unvetted-dep:slash | AI (dependencies): slash is a sindresorhus utility package, consistent with globby's dependency ecosystem. No security concern. | ai | |
| provenance | no-provenance | AI (provenance): sindresorhus packages historically lack Sigstore provenance; publisher trust is well-established through track record. | ai |
Versions (showing 55 of 55)
| Version | Deps | Published |
|---|---|---|
| 16.2.0 | 6 / 8 | |
| 16.1.1 | 6 / 8 | |
| 16.1.0 | 6 / 8 | |
| 16.0.0 | 6 / 8 | |
| 15.0.0 | 6 / 8 | |
| 14.1.0 | 6 / 8 | |
| 14.0.2 | 6 / 8 | |
| 14.0.1 | 6 / 8 | |
| 14.0.0 | 6 / 8 | |
| 13.2.2 | 5 / 10 | |
| 13.2.1 | 5 / 11 | |
| 13.2.0 | 5 / 11 | |
| 13.1.4 | 5 / 11 | |
| 13.1.3 | 5 / 10 | |
| 13.1.2 | 5 / 10 | |
| 13.1.1 | 5 / 10 | |
| 13.1.0 | 5 / 10 | |
| 13.0.0 | 5 / 10 | |
| 12.2.0 | 6 / 10 | |
| 12.1.0 | 6 / 10 | |
| 12.0.2 | 6 / 10 | |
| 12.0.1 | 6 / 10 | |
| 12.0.0 | 6 / 10 | |
| 11.1.0 | 6 / 8 | |
| 11.0.4 | 6 / 8 | |
| 11.0.3 | 6 / 8 | |
| 11.0.2 | 6 / 8 | |
| 11.0.1 | 6 / 8 | |
| 11.0.0 | 6 / 8 | |
| 10.0.2 | 8 / 8 | |
| 10.0.1 | 8 / 8 | |
| 10.0.0 | 8 / 8 | |
| 9.2.0 | 8 / 7 | |
| 9.1.0 | 8 / 7 | |
| 9.0.0 | 7 / 6 | |
| 8.0.2 | 7 / 6 | |
| 8.0.1 | 7 / 6 | |
| 8.0.0 | 7 / 6 | |
| 7.1.1 | 6 / 7 | |
| 7.1.0 | 6 / 7 | |
| 7.0.0 | 6 / 7 | |
| 6.1.0 | 5 / 6 | |
| 6.0.0 | 5 / 6 | |
| 5.0.0 | 6 / 6 | |
| 4.1.0 | 6 / 6 | |
| 4.0.0 | 6 / 6 | |
| 3.0.1 | 6 / 6 | |
| 3.0.0 | 6 / 6 | |
| 2.1.0 | 4 / 5 | |
| 2.0.0 | 4 / 5 | |
| 1.2.0 | 4 / 5 | |
| 1.1.0 | 4 / 5 | |
| 1.0.0 | 4 / 1 | |
| 0.1.1 | 4 / 1 | |
| 0.1.0 | 4 / 1 |
v14.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.