istextorbinary
Determine if a filename and/or buffer is text or binary. Smarter detection than the other solutions.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@typescript-eslint/eslint-plugin | AI (phantom-deps): @typescript-eslint/eslint-plugin is a dev eslint plugin accidentally placed in dependencies; not imported at runtime. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:typedoc | AI (phantom-deps): typedoc is a dev documentation tool accidentally placed in dependencies; not imported at runtime. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:prettier | AI (phantom-deps): prettier is a dev formatting tool accidentally placed in dependencies; not imported at runtime. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:projectz | AI (phantom-deps): projectz is a dev readme generator accidentally placed in dependencies; not imported at runtime. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): typescript is a dev compiler accidentally placed in dependencies; not imported at runtime. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-prettier | AI (phantom-deps): eslint-plugin-prettier is a dev eslint plugin accidentally placed in dependencies; not imported at runtime. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/parser | AI (phantom-deps): @typescript-eslint/parser is a dev eslint parser accidentally placed in dependencies; not imported at runtime. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@bevry/update-contributors | AI (phantom-deps): @bevry/update-contributors is a dev meta tool accidentally placed in dependencies; not imported at runtime. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:kava | AI (phantom-deps): kava is a dev-only test runner accidentally placed in dependencies; not imported at runtime. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:surge | AI (phantom-deps): surge is a deployment tool accidentally placed in dependencies; not imported at runtime. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:eslint | AI (phantom-deps): eslint is a dev linting tool accidentally placed in dependencies; not imported at runtime. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:valid-module | AI (phantom-deps): valid-module is a dev validation tool accidentally placed in dependencies; not imported at runtime. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:assert-helpers | AI (phantom-deps): assert-helpers is a dev test utility accidentally placed in dependencies; not imported at runtime. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:valid-directory | AI (phantom-deps): valid-directory is a dev validation tool accidentally placed in dependencies; not imported at runtime. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:make-deno-edition | AI (phantom-deps): make-deno-edition is a dev build tool accidentally placed in dependencies; not imported at runtime. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:eslint-config-bevry | AI (phantom-deps): eslint-config-bevry is a dev eslint config accidentally placed in dependencies; not imported at runtime. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:eslint-config-prettier | AI (phantom-deps): eslint-config-prettier is a dev eslint config accidentally placed in dependencies; not imported at runtime. Stable false positive for this package. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change balupton→bevryme reflects Bevry org moving from personal to org npm account; bevryme has 34 approved packages and 3010-day history. Legitimate transition. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): bevryme is the Bevry organization npm account; addition is consistent with org-level account consolidation, not a hostile takeover. | ai | |
| dependencies | unvetted-dep:editions | AI (dependencies): editions is a core dependency for multi-edition support; stable for this package's documented architecture. | ai | |
| dependencies | unvetted-dep:textextensions | AI (dependencies): textextensions is essential to the package's text detection logic; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:binaryextensions | AI (dependencies): binaryextensions is essential to the package's binary detection logic; stable dependency for this package. | ai | |
| provenance | no-provenance | AI (provenance): Lack of provenance is common (~88% of packages) and not a security concern for this well-established package. | ai |
Versions (showing 47 of 47)
| Version | Deps | Published |
|---|---|---|
| 9.5.0 | 3 / 17 | |
| 9.4.0 | 3 / 17 | |
| 9.3.0 | 3 / 18 | |
| 9.2.0 | 3 / 19 | |
| 9.1.0 | 3 / 18 | |
| 9.0.0 | 3 / 17 | |
| 8.2.0 | 3 / 18 | |
| 8.1.0 | 3 / 18 | |
| 8.0.0 | 3 / 18 | |
| 7.0.0 | 2 / 19 | |
| 6.0.0 | 2 / 18 | |
| 5.15.0 | 2 / 18 | |
| 5.14.0 | 2 / 18 | |
| 5.13.0 | 2 / 18 | |
| 5.12.0 | 3 / 18 | |
| 5.11.0 | 3 / 18 | |
| 5.10.0 | 3 / 17 | |
| 5.9.0 | 3 / 17 | |
| 5.8.0 | 3 / 17 | |
| 5.7.0 | 3 / 17 | |
| 5.6.0 | 3 / 17 | |
| 5.5.0 | 3 / 17 | |
| 5.4.0 | 3 / 17 | |
| 5.3.0 | 20 / 17 | |
| 5.2.0 | 3 / 17 | |
| 5.0.0 | 3 / 16 | |
| 4.3.0 | 2 / 17 | |
| 4.2.0 | 2 / 17 | |
| 4.1.0 | 2 / 17 | |
| 4.0.0 | 3 / 17 | |
| 3.3.0 | 2 / 16 | |
| 3.2.0 | 2 / 16 | |
| 3.1.0 | 2 / 16 | |
| 3.0.0 | 2 / 16 | |
| 2.6.0 | 3 / 16 | |
| 2.5.1 | 3 / 16 | |
| 2.5.0 | 3 / 16 | |
| 2.4.2 | 3 / 16 | |
| 2.4.1 | 3 / 16 | |
| 2.4.0 | 3 / 16 | |
| 2.3.0 | 3 / 10 | |
| 2.2.1 | 3 / 9 | |
| 2.1.0 | 3 / 9 | |
| 2.0.0 | 3 / 9 | |
| 1.0.2 | 2 / 5 | |
| 1.0.1 | 2 / 5 | |
| 1.0.0 | 3 / 5 |
v9.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0
2 findingsThis version was published by a different npm account than previous versions on 2023-11-14. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0
2 findingsThis version was published by a different npm account than previous versions on 2023-11-01. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.0
2 findingsThis version was published by a different npm account than previous versions on 2021-07-31. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.15.0
2 findingsThis version was published by a different npm account than previous versions on 2021-07-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.14.0
2 findingsThis version was published by a different npm account than previous versions on 2021-07-28. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.0
2 findingsThis version was published by a different npm account than previous versions on 2021-07-27. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.12.0
2 findingsThis version was published by a different npm account than previous versions on 2020-10-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.11.0
2 findingsThis version was published by a different npm account than previous versions on 2020-09-05. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.10.0
2 findingsThis version was published by a different npm account than previous versions on 2020-08-17. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.9.0
2 findingsThis version was published by a different npm account than previous versions on 2020-08-04. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.0
2 findingsThis version was published by a different npm account than previous versions on 2020-07-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.0
2 findingsThis version was published by a different npm account than previous versions on 2020-06-25. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.0
2 findingsThis version was published by a different npm account than previous versions on 2020-06-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.0
2 findingsThis version was published by a different npm account than previous versions on 2020-06-20. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.0
2 findingsThis version was published by a different npm account than previous versions on 2020-06-20. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.0
2 findingsThis version was published by a different npm account than previous versions on 2020-06-10. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
2 findingsThis version was published by a different npm account than previous versions on 2020-05-30. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.0
2 findingsThis version was published by a different npm account than previous versions on 2020-05-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
2 findingsThis version was published by a different npm account than previous versions on 2020-05-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.0
2 findingsThis version was published by a different npm account than previous versions on 2020-05-20. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
2 findingsThis version was published by a different npm account than previous versions on 2020-05-11. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
2 findingsThis version was published by a different npm account than previous versions on 2019-12-09. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
2 findingsThis version was published by a different npm account than previous versions on 2019-12-01. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
2 findingsThis version was published by a different npm account than previous versions on 2019-11-30. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
2 findingsThis version was published by a different npm account than previous versions on 2019-11-18. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.0
2 findingsThis version was published by a different npm account than previous versions on 2019-11-13. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.1
2 findingsThis version was published by a different npm account than previous versions on 2019-01-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.0
2 findingsThis version was published by a different npm account than previous versions on 2019-01-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.2
2 findingsThis version was published by a different npm account than previous versions on 2019-01-20. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.1
2 findingsThis version was published by a different npm account than previous versions on 2019-01-20. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.0
2 findingsThis version was published by a different npm account than previous versions on 2019-01-20. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
2 findingsThis version was published by a different npm account than previous versions on 2018-11-07. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.1
2 findingsThis version was published by a different npm account than previous versions on 2018-01-24. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.