hbs
Express.js template engine plugin for Handlebars
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-takeover | AI (maintainer-change): dougwilson is the Express.js maintainer and pillarjs org member; this is a legitimate ecosystem transfer, not a hijack. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change to dougwilson is a legitimate transfer within the pillarjs/Express ecosystem. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): dougwilson is a trusted, long-standing Express ecosystem maintainer. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Previous maintainers replaced by dougwilson as part of legitimate pillarjs org maintenance. | ai |
Versions (showing 27 of 27)
| Version | Deps | Published |
|---|---|---|
| 4.2.0 | 2 / 6 | |
| 2.9.0 | 2 / 3 | |
| 2.8.0 | 2 / 3 | |
| 2.7.0 | 2 / 3 | |
| 2.6.0 | 2 / 3 | |
| 2.5.0 | 2 / 3 | |
| 2.4.0 | 2 / 3 | |
| 2.3.1 | 2 / 3 | |
| 2.3.0 | 2 / 3 | |
| 2.0.2 | 1 / 3 | |
| 2.0.1 | 1 / 3 | |
| 2.0.0 | 1 / 3 | |
| 1.0.9 | 1 / 3 | |
| 1.0.8 | 1 / 3 | |
| 1.0.7 | 1 / 3 | |
| 1.0.6 | 1 / 3 | |
| 1.0.5 | 1 / 3 | |
| 1.0.4 | 1 / 3 | |
| 1.0.3 | 1 / 3 | |
| 1.0.2 | 1 / 3 | |
| 1.0.1 | 1 / 0 | |
| 1.0.0 | 1 / 0 | |
| 0.0.7 | 0 / 0 | |
| 0.0.6 | 0 / 0 | |
| 0.0.5 | 0 / 0 | |
| 0.0.4 | 0 / 0 | |
| 0.0.3 | 0 / 0 |
v4.2.0
3 findingsAll previous maintainers (donpark, defunctzombie) were replaced by new maintainers (dougwilson). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2021-11-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.