← Home

insight

npm Repository Homepage

Understand how your tool is being used by anonymously reporting usage metrics to Google Analytics or Yandex.Metrica

6
Versions
BSD-2-Clause
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

sindresorhus

Keywords

packagestatsgoogleanalyticstrackmetricsyandexmetrica

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require is used solely to load a package.json file from a configurable path — a standard CLI tool pattern with no malicious potential in this context. ai
license uncommon-license:BSD AI (license): BSD is a well-understood permissive license; the uncommon-license flag is a false positive for this package. ai
dependencies unvetted-dep:request AI (dependencies): request is a well-known HTTP library used legitimately for sending analytics data; stable dependency for this package. ai
phantom-deps phantom-dep:tough-cookie AI (phantom-deps): tough-cookie is listed as a direct dep in package.json and used transitively via request; minor packaging concern, not a security issue. ai
provenance publisher-changed AI (provenance): Transition from sindresorhus to sboudrias (core Yeoman contributor) in 2019 is a known legitimate maintainer handoff; sboudrias has a strong track record on npm. ai
semgrep semgrep:child-process-import AI (semgrep): insight spawns background processes to report telemetry without blocking; child_process use is core to its documented functionality. ai
publish-pattern new-deps-added AI (publish-pattern): New dep is `ky`, sindresorhus's own widely-used fetch wrapper — a natural modernization replacement for `request`. Not a suspicious dependency for this package. ai
maintainer-change maintainer-removed AI (maintainer-change): sindresorhus is the original author reclaiming sole ownership; removal of old collaborators is a legitimate housekeeping action, not a takeover signal. ai

Versions (showing 6 of 6)

Version Deps Published
0.12.0 6 / 5
0.10.2 9 / 5
0.10.1 9 / 5
0.6.0 9 / 3
0.4.3 9 / 3
0.1.2 6 / 1

v0.12.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.2

2 findings
HIGH Publisher changed: sindresorhus → sboudrias (on 2019-04-14) provenance

This version was published by a different npm account than previous versions on 2019-04-14. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.