loupe
Inspect utility for Node.js and browsers
33
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
chaijs
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): type-detect and get-function-name are both chaijs-maintained packages, consistent with loupe's integration into the chaijs ecosystem. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change to 'chai' (chaijs org) is consistent with the documented transfer of loupe into the chaijs ecosystem; not an account compromise. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): chaijs is a well-established npm org; addition is part of the legitimate transfer of loupe into the chaijs ecosystem. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): vesln removal is part of the same legitimate transfer; original author still credited in package.json. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): Transfer from vesln to chaijs is a legitimate organizational handoff; loupe is a chaijs ecosystem utility and the repo URL confirms the move to github.com/chaijs/loupe. | ai | |
| dependencies | unvetted-dep:get-function-name | AI (dependencies): get-function-name is a tiny, stable utility that has been part of loupe's dependency tree across versions; no security concerns associated with it. | ai | |
| provenance | no-provenance | AI (provenance): loupe is a long-established chaijs ecosystem package; lack of Sigstore provenance is expected for packages of this age and is not a risk signal here. | ai | |
| phantom-deps | phantom-dep:get-func-name | AI (phantom-deps): get-func-name is a declared runtime dependency used in config/build context; stable false positive for this package. | ai |
Versions (showing 33 of 33)
| Version | Deps | Published |
|---|---|---|
| 3.2.1 | 0 / 20 | |
| 3.2.0 | 0 / 20 | |
| 3.1.4 | 0 / 20 | |
| 3.1.3 | 0 / 20 | |
| 3.1.2 | 0 / 20 | |
| 3.1.1 | 1 / 20 | |
| 3.1.0 | 1 / 20 | |
| 3.0.2 | 1 / 20 | |
| 3.0.1 | 1 / 20 | |
| 2.3.7 | 1 / 36 | |
| 2.3.6 | 1 / 36 | |
| 2.3.5 | 1 / 36 | |
| 2.3.4 | 1 / 36 | |
| 2.3.3 | 1 / 36 | |
| 2.3.2 | 1 / 36 | |
| 2.3.1 | 1 / 36 | |
| 2.3.0 | 2 / 36 | |
| 2.2.1 | 2 / 36 | |
| 2.2.0 | 2 / 36 | |
| 2.1.2 | 2 / 36 | |
| 2.1.1 | 2 / 36 | |
| 2.1.0 | 2 / 36 | |
| 2.0.3 | 2 / 36 | |
| 2.0.2 | 2 / 36 | |
| 2.0.1 | 2 / 36 | |
| 2.0.0 | 2 / 36 | |
| 1.0.5 | 2 / 36 | |
| 1.0.4 | 2 / 36 | |
| 1.0.3 | 2 / 36 | |
| 1.0.2 | 2 / 36 | |
| 1.0.1 | 2 / 36 | |
| 1.0.0 | 2 / 36 | |
| 0.0.1 | 0 / 8 |
v2.0.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.