← Home

kew

npm Repository Homepage

a lightweight promise library for node

23
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

azulusnicksdpupmediumxiaochaosgame

Keywords

kewpromises

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Publisher change from azulus to nicks occurred in 2013 as part of a legitimate org-level transition to the Obvious/Medium engineering team. Stable historical fact for this package. ai
maintainer-change maintainer-added AI (maintainer-change): New maintainers (nicks, dpup, medium) added in 2013 reflect a legitimate organizational handoff to the Obvious/Medium team. No malicious indicators. ai
provenance no-provenance AI (provenance): Package predates Sigstore provenance by many years; absence of attestation is expected and not a risk signal for this package. ai
typosquat typosquat.levenshtein:koa AI (typosquat): kew is a ~14-year-old promise library by Medium engineering; predates/is unrelated to koa. Pure edit-distance false positive with no brand impersonation. ai
typosquat typosquat.levenshtein:knex AI (typosquat): kew is a ~14-year-old promise library by Medium engineering; completely unrelated to knex. Pure edit-distance false positive with no brand impersonation. ai

Versions (showing 23 of 23)

Version Deps Published
0.7.0 0 / 3
0.6.0 0 / 3
0.5.0 0 / 3
0.4.0 0 / 3
0.3.4 0 / 3
0.3.3 0 / 2
0.3.2 0 / 2
0.3.1 0 / 2
0.3.0 0 / 2
0.2.2 0 / 2
0.2.1 0 / 2
0.1.7 0 / 1
0.1.6 0 / 1
0.1.5 0 / 1
0.1.4 0 / 1
0.1.3 0 / 1
0.1.2 0 / 1
0.1.1 0 / 1
0.1.0 0 / 1
0.0.4 0 / 2
0.0.3 0 / 1
0.0.2 0 / 1
0.0.1 0 / 1