items — Greenflagged

Bare minimum async methods

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

nargonathdevinivymarsupnlf

Keywords

asyncserialparallel

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Known hapijs ecosystem transition from hueniverse (Eran Hammer) to nargonath/devinivy; well-documented legitimate maintainer handoff, not a compromise.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): nargonath and devinivy are recognized hapijs ecosystem maintainers who took over the project legitimately.	ai	2026/04/23
maintainer-change	maintainer-removed	AI (maintainer-change): hueniverse and wyatt stepped back from hapijs maintenance; this is a known, legitimate transition in the hapijs ecosystem.	ai	2026/04/23
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy aligns with the period after hueniverse stepped away from hapijs; resumed activity by new legitimate maintainers is expected.	ai	2026/04/23

Versions (showing 10 of 10)

Version	Deps	Published
2.2.1	0 / 2	2024-01-06
2.1.2	0 / 2	2018-11-11
2.1.1	0 / 2	2016-07-28
2.1.0	0 / 2	2016-05-05
2.0.1	0 / 2	2016-05-05
2.0.0	0 / 2	2015-10-31
1.1.1	0 / 2	2015-09-09
1.1.0	0 / 1	2014-10-16
1.0.2	0 / 1	2014-09-05
1.0.1	0 / 1	2014-08-08

v2.2.1

2 findings

HIGH Publisher changed: hueniverse → nargonath (on 2024-01-06) provenance

This version was published by a different npm account than previous versions on 2024-01-06. This could indicate a legitimate maintainer transition or an account compromise.