json-stream — Greenflagged

New line-delimeted JSON parser with a stream interface

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

mmaleckiceejbotjcrugzz

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	suspicious-initial-version	AI (npm-metadata): Package is ~14 years old from a well-established publisher; 0.0.0 reflects early npm conventions, not malicious intent.	ai	2026/04/24
bogus-package	bogus-package	AI (bogus-package): Very old package (~2011) predates modern npm metadata conventions; missing repo/keywords/deps is typical for that era, not a spam indicator.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): Publisher change from mmalecki to jcrugzz occurred in Dec 2014 — a historical, legitimate maintainer transition. jcrugzz has a strong track record (522 approved packages).	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): Same historical 2014 maintainer transition; jcrugzz is a well-established publisher. Not indicative of compromise.	ai	2026/04/23

Versions (showing 8 of 8)

Version	Deps	Published
1.0.0	0 / 0	2014-12-18
0.2.2	0 / 0	2014-10-13
0.2.1	0 / 0	2014-05-19
0.2.0	0 / 0	2013-06-05
0.1.2	0 / 0	2012-11-24
0.1.1	0 / 0	2012-11-24
0.1.0	0 / 0	2012-09-18
0.0.0	0 / 0	2012-06-14

v1.0.0

2 findings

HIGH Publisher changed: mmalecki → jcrugzz (on 2014-12-18) provenance

This version was published by a different npm account than previous versions on 2014-12-18. This could indicate a legitimate maintainer transition or an account compromise.