memfs — Greenflagged

In-memory file-system with Node's fs API.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

streamich

Keywords

fsfilesystemfs.jsmemory-fsmemfsfilefile systemmountmemoryin-memoryvirtualtesttestingmockfsafile system accessnative file systemwebfscrudfsopfscasfscontent addressable storage

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	missing-githead	AI (provenance): Published via GitHub Actions with SLSA provenance; gitHead absence is a CI config detail, not a risk.	ai	2026/05/31
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions CI/CD publishing with SLSA provenance; stable for this package.	ai	2026/05/30
phantom-deps	phantom-dep:glob-to-regex.js	AI (phantom-deps): Declared dep used transitively; stable false positive for this monorepo-style package.	ai	2026/05/29
phantom-deps	phantom-dep:@jsonjoy.com/util	AI (phantom-deps): Declared dep used transitively; stable false positive for this monorepo-style package.	ai	2026/05/29
phantom-deps	phantom-dep:@jsonjoy.com/fs-print	AI (phantom-deps): Declared dep used transitively; stable false positive for this monorepo-style package.	ai	2026/05/29
phantom-deps	phantom-dep:thingies	AI (phantom-deps): Declared dep used transitively; stable false positive for this monorepo-style package.	ai	2026/05/29
phantom-deps	phantom-dep:@jsonjoy.com/fs-snapshot	AI (phantom-deps): Declared dep used transitively; stable false positive for this monorepo-style package.	ai	2026/05/29
phantom-deps	phantom-dep:@jsonjoy.com/fs-node-builtins	AI (phantom-deps): Declared dep used transitively; stable false positive for this monorepo-style package.	ai	2026/05/29
phantom-deps	phantom-dep:@jsonjoy.com/json-pack	AI (phantom-deps): Declared dep used transitively; stable false positive for this monorepo-style package.	ai	2026/05/29
phantom-deps	phantom-dep:tree-dump	AI (phantom-deps): Declared dep used transitively; stable false positive for this monorepo-style package.	ai	2026/05/29

Versions (showing 100 of 218)

Version	Deps	Published
4.57.3	14 / 27	2026-05-28
4.57.2	14 / 27	2026-04-16
4.57.1	14 / 27	2026-03-21
4.57.0	14 / 27	2026-03-21
4.56.11	14 / 27	2026-03-04
4.56.10	14 / 27	2026-01-23
4.56.9	14 / 27	2026-01-21
4.56.8	14 / 27	2026-01-21
4.56.7	14 / 27	2026-01-21
4.54.0	6 / 31	2026-01-18
4.53.0	6 / 31	2026-01-17
4.52.0	6 / 31	2026-01-15
4.51.1	6 / 31	2025-11-30
4.51.0	6 / 31	2025-11-12
4.50.0	6 / 31	2025-10-28
4.49.0	6 / 31	2025-10-06
4.48.1	6 / 31	2025-10-01
4.48.0	6 / 31	2025-10-01
4.47.0	6 / 31	2025-09-27
4.46.1	6 / 31	2025-09-25
4.46.0	6 / 31	2025-09-24
4.45.0	6 / 31	2025-09-24
4.44.0	6 / 31	2025-09-24
4.43.1	6 / 31	2025-09-24
4.43.0	6 / 31	2025-09-20
4.42.0	6 / 31	2025-09-16
4.41.0	6 / 31	2025-09-16
4.40.0	6 / 31	2025-09-16
4.39.0	6 / 31	2025-09-10
4.38.3	6 / 31	2025-09-09
4.38.2	6 / 31	2025-08-26
4.38.1	6 / 31	2025-08-24
4.38.0	5 / 31	2025-08-24
4.37.1	5 / 31	2025-08-22
4.37.0	5 / 31	2025-08-22
4.36.3	5 / 31	2025-08-18
4.36.2	4 / 31	2025-08-18
4.36.1	4 / 31	2025-08-18
4.36.0	4 / 31	2025-08-03
4.35.0	4 / 31	2025-08-02
4.34.0	4 / 31	2025-08-01
4.33.0	4 / 31	2025-08-01
4.32.1	4 / 31	2025-08-01
4.32.0	4 / 31	2025-08-01
4.31.0	4 / 31	2025-08-01
4.30.1	4 / 31	2025-08-01
4.30.0	4 / 31	2025-08-01
4.29.0	4 / 31	2025-08-01
4.28.1	4 / 31	2025-08-01
4.28.0	4 / 31	2025-07-31
4.27.0	4 / 31	2025-07-31
4.26.0	4 / 31	2025-07-31
4.25.1	4 / 31	2025-07-31
4.25.0	4 / 31	2025-07-31
4.24.0	4 / 31	2025-07-30
4.23.0	4 / 31	2025-07-27
4.22.1	4 / 31	2025-07-27
4.22.0	4 / 31	2025-07-27
4.21.0	4 / 31	2025-07-27
4.20.1	4 / 31	2025-07-27
4.20.0	4 / 31	2025-07-25
4.19.0	4 / 31	2025-07-25
4.18.0	4 / 31	2025-07-25
4.17.2	4 / 31	2025-05-15
4.17.1	4 / 31	2025-05-03
4.17.0	4 / 31	2025-01-09
4.16.0	4 / 31	2025-01-09
4.15.4	4 / 31	2025-01-09
4.15.3	4 / 31	2025-01-01
4.15.2	4 / 31	2024-12-30
4.15.1	4 / 31	2024-12-22
4.15.0	4 / 31	2024-12-09
4.14.1	4 / 31	2024-12-02
4.14.0	4 / 31	2024-10-13
4.13.0	4 / 31	2024-10-07
4.12.0	4 / 31	2024-09-19
4.11.2	4 / 31	2024-09-17
4.11.1	4 / 31	2024-08-01
4.11.0	4 / 31	2024-07-27
4.10.0	4 / 31	2024-07-27
4.9.4	4 / 31	2024-07-23
4.9.3	4 / 31	2024-06-14
4.9.2	4 / 31	2024-04-30
4.9.1	4 / 31	2024-04-27
4.9.0	1 / 31	2024-04-27
4.8.2	1 / 31	2024-04-14
4.8.1	1 / 30	2024-03-31
4.8.0	1 / 30	2024-03-19
4.7.7	1 / 30	2024-02-21
4.7.6	1 / 30	2024-02-17
4.7.5	1 / 30	2024-02-17
4.7.4	2 / 31	2024-02-17
4.7.3	3 / 31	2024-02-17
4.7.2	3 / 31	2024-02-17
4.7.1	2 / 31	2024-02-16
4.7.0	2 / 31	2024-02-13
4.6.1	2 / 31	2024-02-12
4.6.0	2 / 31	2023-10-07
4.5.0	2 / 31	2023-09-25
4.4.0	2 / 31	2023-09-22

Showing 100 of 218 Next page →

v4.57.3

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.57.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.57.1

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.57.0

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.56.11

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.56.10

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.56.9

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.56.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.56.7

2 findings

HIGH Publisher changed: streamich → GitHub Actions (on 2026-01-21) provenance

This version was published by a different npm account than previous versions on 2026-01-21. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.54.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.53.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.52.0

2 findings

HIGH Publisher changed: streamich → GitHub Actions (on 2026-01-15) provenance

This version was published by a different npm account than previous versions on 2026-01-15. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.