libnpmexec
npm exec (npx) programmatic API
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Publish environment variation within the npm CLI team; gitHead presence is not guaranteed across all publish flows. | ai | |
| provenance | no-provenance | AI (provenance): Informational finding; npm CLI workspace packages may not yet have Sigstore provenance enabled. Not a security risk. | ai | |
| provenance | publisher-changed | AI (provenance): reggi is a known npm CLI team member; publisher change from gar to reggi is a legitimate maintainer rotation within the npm org. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @npmcli/package-json is an official @npmcli-scoped package, consistent with the existing dependency tree. | ai |
Versions (showing 51 of 96)
| Version | Deps | Published |
|---|---|---|
| 10.2.9 | 12 / 8 | |
| 10.2.8 | 12 / 8 | |
| 10.2.7 | 12 / 8 | |
| 10.2.6 | 12 / 8 | |
| 10.2.4 | 12 / 8 | |
| 10.2.3 | 12 / 8 | |
| 10.2.2 | 12 / 8 | |
| 10.2.1 | 12 / 8 | |
| 10.2.0 | 12 / 8 | |
| 10.1.12 | 12 / 8 | |
| 10.1.11 | 12 / 8 | |
| 10.1.10 | 12 / 8 | |
| 10.1.9 | 12 / 8 | |
| 10.1.8 | 12 / 8 | |
| 10.1.7 | 12 / 8 | |
| 10.1.6 | 11 / 8 | |
| 10.1.5 | 11 / 8 | |
| 10.1.4 | 11 / 8 | |
| 10.1.3 | 11 / 8 | |
| 10.1.2 | 11 / 8 | |
| 10.1.1 | 11 / 8 | |
| 10.1.0 | 11 / 8 | |
| 10.0.0 | 10 / 8 | |
| 9.0.5 | 10 / 8 | |
| 9.0.4 | 10 / 8 | |
| 9.0.3 | 10 / 8 | |
| 9.0.2 | 10 / 8 | |
| 9.0.1 | 10 / 8 | |
| 9.0.0 | 10 / 8 | |
| 8.1.4 | 10 / 8 | |
| 8.1.3 | 10 / 8 | |
| 8.1.2 | 10 / 8 | |
| 8.1.1 | 10 / 8 | |
| 8.1.0 | 10 / 8 | |
| 8.0.0 | 10 / 8 | |
| 7.0.10 | 11 / 8 | |
| 7.0.9 | 11 / 8 | |
| 7.0.8 | 11 / 8 | |
| 7.0.7 | 11 / 8 | |
| 7.0.6 | 11 / 8 | |
| 7.0.5 | 11 / 8 | |
| 7.0.4 | 11 / 8 | |
| 7.0.3 | 11 / 8 | |
| 7.0.2 | 11 / 8 | |
| 7.0.1 | 11 / 8 | |
| 7.0.0 | 11 / 8 | |
| 6.0.5 | 11 / 8 | |
| 6.0.4 | 11 / 8 | |
| 6.0.3 | 11 / 8 | |
| 6.0.2 | 11 / 8 | |
| 6.0.1 | 11 / 8 |
v10.2.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.4
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
This version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.2
2 findingsThis version was published by a different npm account than previous versions on 2026-02-19. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.1
2 findingsThis version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
This version was published by a different npm account than previous versions on 2026-02-04. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.6
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-03. This could indicate a legitimate maintainer transition or an account compromise.
v10.1.5
2 findingsThis version was published by a different npm account than previous versions on 2025-07-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.4
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-06-12. This could indicate a legitimate maintainer transition or an account compromise.
v10.1.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-05-21. This could indicate a legitimate maintainer transition or an account compromise.
v10.1.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-05-15. This could indicate a legitimate maintainer transition or an account compromise.
v10.1.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-04-08. This could indicate a legitimate maintainer transition or an account compromise.
v10.1.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
This version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
This version was published by a different npm account than previous versions on 2026-03-04. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v9.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v8.1.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v8.1.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v8.1.2
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-05-29. This could indicate a legitimate maintainer transition or an account compromise.
v8.1.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-05-15. This could indicate a legitimate maintainer transition or an account compromise.
v8.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v8.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.