mute-stream — Greenflagged

Bytes go in, but they don't come out (when muted).

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

saquibkhannpm-cli-opsreggiowlstronaut

Keywords

mutestreampipe

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:coverage/lcov-report/prettify.js	AI (source-diff): Standard Istanbul coverage report prettify.js (Google code-prettify); not malicious.	ai	2026/05/22
source-diff	source-size-tripled	AI (source-diff): Size increase from coverage report artifacts, not injected payload.	ai	2026/05/22
provenance	publisher-changed	AI (provenance): Publisher change from lukekarrys to npm-cli-ops is standard npm CLI team maintainer rotation within the npm GitHub org.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers (hashtagchris, reggi, npm-cli-ops) are known npm CLI team members; routine org rotation.	ai	2026/04/24
maintainer-change	maintainer-removed	AI (maintainer-change): Removed maintainers (darcyclarke, nlf, lukekarrys) reflect normal npm CLI team turnover, not a takeover.	ai	2026/04/24

Versions (showing 12 of 12)

Version	Deps	Published
4.0.0	0 / 2	2026-05-08
3.0.0	0 / 3	2025-10-22
2.0.0	0 / 3	2024-09-24
1.0.0	0 / 3	2022-12-13
0.0.8	0 / 1	2018-12-28
0.0.7	0 / 1	2017-01-03
0.0.6	0 / 1	2016-02-13
0.0.5	0 / 1	2015-05-20
0.0.4	0 / 1	2013-07-15
0.0.3	0 / 1	2012-08-15
0.0.2	0 / 1	2012-07-24
0.0.1	0 / 1	2012-07-24

v4.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.0

2 findings

HIGH Publisher changed: lukekarrys → npm-cli-ops (on 2024-09-24) provenance

This version was published by a different npm account than previous versions on 2024-09-24. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.7

2 findings

HIGH New obfuscated file: coverage/lcov-report/prettify.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.