nf3
<!-- automd:badges color=yellow codecov packagephobia -->
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/node_modules/.nft/[email protected]/dist/shared/confbox.DnMsyigM.mjs | AI (source-diff): Minified confbox dist bundled by @vercel/nft; standard build artifact. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are bundled devDep dist artifacts from @vercel/nft and pathe; expected for this package type. | ai | |
| source-diff | obfuscated-file:dist/node_modules/.nft/[email protected]/dist/yaml.mjs | AI (source-diff): Minified js-yaml ESM bundled via confbox; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/node_modules/.nft/[email protected]/dist/yaml.mjs | AI (source-diff): Minified js-yaml ESM bundled via confbox; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/node_modules/pathe/dist/shared/pathe.M-eThtNZ.mjs | AI (source-diff): Minified pathe ESM dist; standard build artifact from unjs/pathe. | ai | |
| source-diff | obfuscated-file:dist/node_modules/.nft/[email protected]/dist/json5.mjs | AI (source-diff): Minified json5 ESM dist bundled by @vercel/nft; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/node_modules/.nft/[email protected]/dist/json5.mjs | AI (source-diff): Minified json5 ESM dist bundled by @vercel/nft; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/node_modules/.nft/[email protected]/dist/shared/confbox.f9f03f05.mjs | AI (source-diff): Minified confbox dist bundled by @vercel/nft; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/node_modules/.nft/[email protected]/dist/shared/confbox.6b479c78.cjs | AI (source-diff): Minified confbox dist bundled by @vercel/nft; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/node_modules/.nft/[email protected]/dist/json5.cjs | AI (source-diff): Minified json5 dist bundled by @vercel/nft; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/node_modules/pathe/dist/shared/pathe.BSlhyZSM.cjs | AI (source-diff): Minified pathe dist; standard build artifact from unjs/pathe. | ai | |
| source-diff | obfuscated-file:dist/node_modules/.nft/[email protected]/dist/yaml.cjs | AI (source-diff): Minified js-yaml bundled via confbox; standard build artifact. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Placeholder/namespace reservation by established publisher; signals don't indicate spam or malware. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): Trusted publisher pi0 using 0.0.0 as a placeholder; not a malicious indicator here. | ai | |
| source-diff | obfuscated-file:dist/node_modules/@isaacs/fs-minipass/dist/commonjs/index.js | AI (source-diff): Minified build of @isaacs/fs-minipass bundled by nf3; standard minified output, not malicious. | ai | |
| source-diff | obfuscated-file:dist/_chunks/libs/confbox.mjs | AI (source-diff): Minified bundle of confbox library produced by oxc-minify build toolchain; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/node_modules/.nf3/[email protected]/dist/commonjs/index.js | AI (source-diff): Same as above — minified minipass build artifact, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/node_modules/.nf3/[email protected]/dist/commonjs/index.js | AI (source-diff): Minified build of the well-known minipass package bundled by nf3; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/_chunks/libs/exsolve.mjs | AI (source-diff): Bundled copy of exsolve devDependency; minified output is expected for this build tool package. | ai | |
| source-diff | obfuscated-file:dist/_libs/confbox.mjs | AI (source-diff): Minified vendor bundle of confbox library; standard build output for this package. | ai | |
| source-diff | obfuscated-file:dist/_libs/exsolve.mjs | AI (source-diff): Minified vendor bundle of exsolve library; standard build output for this package. | ai | |
| source-diff | obfuscated-file:dist/_libs/mlly.mjs | AI (source-diff): Minified vendor bundle of mlly library; standard build output for this package. | ai |
Versions (showing 33 of 33)
| Version | Deps | Published |
|---|---|---|
| 0.3.17 | 0 / 22 | |
| 0.3.16 | 0 / 22 | |
| 0.3.15 | 0 / 22 | |
| 0.3.14 | 0 / 22 | |
| 0.3.13 | 0 / 22 | |
| 0.3.12 | 0 / 22 | |
| 0.3.11 | 0 / 22 | |
| 0.3.10 | 0 / 22 | |
| 0.3.9 | 0 / 22 | |
| 0.3.8 | 0 / 22 | |
| 0.3.7 | 0 / 22 | |
| 0.3.6 | 0 / 22 | |
| 0.3.5 | 0 / 22 | |
| 0.3.4 | 0 / 21 | |
| 0.3.3 | 0 / 21 | |
| 0.3.2 | 0 / 21 | |
| 0.3.1 | 0 / 21 | |
| 0.3.0 | 0 / 21 | |
| 0.2.0 | 0 / 22 | |
| 0.1.12 | 0 / 22 | |
| 0.1.11 | 0 / 22 | |
| 0.1.10 | 0 / 22 | |
| 0.1.9 | 0 / 22 | |
| 0.1.8 | 0 / 22 | |
| 0.1.7 | 0 / 22 | |
| 0.1.6 | 0 / 22 | |
| 0.1.5 | 0 / 21 | |
| 0.1.4 | 0 / 21 | |
| 0.1.3 | 0 / 21 | |
| 0.1.2 | 0 / 21 | |
| 0.1.1 | 0 / 21 | |
| 0.1.0 | 0 / 21 | |
| 0.0.0 | 0 / 0 |
v0.3.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.13
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.12
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.5
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.8
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.4
12 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
12 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
12 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.