ignore-walk — Greenflagged

Nested/recursive `.gitignore`/`.npmignore` parsing and filtering.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

saquibkhannpm-cli-opsreggiowlstronaut

Keywords

ignorefileignorefile.gitignore.npmignoreglob

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): npm org migrated publishing to GitHub Actions with SLSA provenance; stable for this package.	ai	2026/05/09
maintainer-change	maintainer-removed	AI (maintainer-change): npm CLI team maintainer rotation; package remains under npm GitHub org.	ai	2026/05/09
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy normal for stable npm infra packages; major version bump after long stable period.	ai	2026/05/09

Versions (showing 28 of 28)

Version	Deps	Published
9.0.0	1 / 4	2026-05-08
8.0.0	1 / 4	2025-07-24
7.0.0	1 / 4	2024-09-04
6.0.5	1 / 4	2024-05-04
6.0.4	1 / 4	2023-11-29
6.0.3	1 / 4	2023-04-26
6.0.2	1 / 4	2023-03-21
6.0.1	1 / 6	2023-02-07
6.0.0	1 / 6	2022-10-14
5.0.1	1 / 6	2022-04-06
5.0.0	1 / 6	2022-04-06
4.0.1	1 / 5	2021-08-23
4.0.0	1 / 9	2021-08-23
3.0.4	1 / 4	2021-05-06
3.0.3	1 / 4	2019-10-09
3.0.2	1 / 4	2019-09-06
3.0.1	1 / 4	2017-10-20
3.0.0	1 / 4	2017-06-02
2.0.5	1 / 4	2017-06-02
2.0.4	1 / 4	2017-06-02
2.0.3	1 / 4	2017-06-02
2.0.2	1 / 4	2017-05-27
2.0.1	1 / 4	2017-05-27
2.0.0	1 / 4	2017-05-26
1.1.0	1 / 4	2017-05-26
1.0.2	1 / 4	2017-05-22
1.0.1	1 / 4	2017-05-22
1.0.0	0 / 2	2017-05-22

v9.0.0

2 findings

HIGH Publisher changed: npm-cli-ops → GitHub Actions (on 2026-05-08) provenance

This version was published by a different npm account than previous versions on 2026-05-08. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.