merge-descriptors MIT 7 versions

merge-descriptors

npm Repository Homepage

Merge objects using their property descriptors

Versions

MIT

License

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

juliangrubersindresorhustjholowaychukdougwilsonjonathanongjongleberry

Keywords

mergedescriptorsobjectpropertypropertiesmerginggettersetter

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Legitimate transfer to sindresorhus, a highly trusted npm publisher with 808 approved packages. Repository URL in package.json confirms the transfer to sindresorhus/merge-descriptors.	ai	2026/04/21
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers (sindresorhus, dougwilson, tjholowaychuk, juliangruber, jonathanong) are all well-known, trusted Node.js/Express ecosystem contributors. Consistent with legitimate stewardship transfer.	ai	2026/04/21

Versions (showing 7 of 7)

Version	Deps	Published
2.0.0	0 / 2	2023-11-16
1.0.3	0 / 8	2023-11-16
1.0.2	0 / 8	2023-11-16
1.0.1	0 / 2	2016-01-17
1.0.0	0 / 0	2015-03-01
0.0.2	0 / 0	2013-12-14
0.0.1	0 / 0	2013-10-29