local-pkg — Greenflagged

Get information on local packages.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

antfusxzz

Keywords

package

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	missing-githead	AI (provenance): CI migration to GitHub Actions with SLSA provenance; gitHead absence is expected.	ai	2026/05/26
publish-pattern	dormant-publish	AI (publish-pattern): Established package by prolific maintainer; dormancy is normal for stable utility libs.	ai	2026/05/26
semgrep	semgrep:dynamic-require	AI (semgrep): Core module-loading utility; dynamic require is the intended design of this package.	ai	2026/05/11
bogus-package	bogus-package	AI (bogus-package): antfu (Anthony Fu) is a well-known legitimate OSS developer; spam flag is a false positive. Inflated semver is explained by org migration from the original local-pkg package.	ai	2026/04/21
dependencies	unvetted-dep:pkg-types	AI (dependencies): pkg-types is an antfu-collective package widely used across the JS ecosystem; not a risk for this package.	ai	2026/04/21

Versions (showing 4 of 4)

Version	Deps	Published
1.2.1	3 / 14	2026-05-21
1.2.0	3 / 14	2026-05-19
1.1.2	3 / 14	2025-08-20
0.4.3	0 / 12	2023-01-19

v1.2.1

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.2.0

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.