npm
a package manager for JavaScript
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:node_modules/diff/lib/patch/line-endings.js | AI (source-diff): Babel-transpiled output from the diff library; long lines are from transpiler helpers, not obfuscation. | ai | |
| source-diff | obfuscated-file:node_modules/@isaacs/cliui/node_modules/emoji-regex/index.js | AI (source-diff): emoji-regex contains long Unicode regex patterns for emoji matching, not obfuscated code. Standard false positive for this package. | ai | |
| source-diff | obfuscated-file:node_modules/@isaacs/cliui/node_modules/emoji-regex/es2015/index.js | AI (source-diff): emoji-regex contains long Unicode regex patterns for emoji matching, not obfuscated code. Standard false positive for this package. | ai | |
| source-diff | net-exec-file:node_modules/event-target-shim/dist/event-target-shim.umd.js | AI (source-diff): Standard UMD wrapper from event-target-shim; bundled dependency of npm CLI. Not malware. | ai | |
| source-diff | obfuscated-file:node_modules/libnpmdiff/node_modules/diff/lib/diff/base.js | AI (source-diff): Bundled diff library; transpiled/minified code is expected for npm CLI dependencies. | ai | |
| source-diff | obfuscated-file:node_modules/libnpmdiff/node_modules/diff/lib/patch/apply.js | AI (source-diff): Bundled diff library; transpiled/minified code is expected for npm CLI dependencies. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @npmcli/redact is an internal npm CLI dependency for credential redaction; legitimate addition. | ai | |
| provenance | missing-githead | AI (provenance): gitHead absence is acceptable for npm CLI; published by trusted gar account with strong track record. | ai | |
| source-diff | net-exec-file:node_modules/ajv/dist/ajv.bundle.js | AI (source-diff): Bundled minified library (ajv validator); legitimate build artifact, not malware. | ai | |
| source-diff | net-exec-file:node_modules/ajv/dist/ajv.min.js | AI (source-diff): Bundled minified library (ajv validator); legitimate build artifact, not malware. | ai | |
| phantom-deps | phantom-dep:lodash._cacheindexof | AI (phantom-deps): Listed in bundleDependencies; used transitively within npm's bundled dependency tree. | ai | |
| dependencies | unvetted-dep:config-chain | AI (dependencies): config-chain is a standard npm CLI dependency for config file loading; stable constraint ^1.1.12. | ai | |
| dependencies | unvetted-dep:validate-npm-package-license | AI (dependencies): Validates package.json license fields; legitimate npm utility dependency. | ai | |
| dependencies | unvetted-dep:request | AI (dependencies): request is a widely-used HTTP library; legitimate for npm's registry communication. | ai | |
| phantom-deps | phantom-dep:lodash._baseuniq | AI (phantom-deps): Listed in bundleDependencies; used transitively within npm's bundled dependency tree. | ai | |
| phantom-deps | phantom-dep:lodash.restparam | AI (phantom-deps): Listed in bundleDependencies; used transitively within npm's bundled dependency tree. | ai | |
| phantom-deps | phantom-dep:lodash._baseindexof | AI (phantom-deps): Listed in bundleDependencies; used transitively within npm's bundled dependency tree. | ai | |
| phantom-deps | phantom-dep:lodash._createcache | AI (phantom-deps): Listed in bundleDependencies; used transitively within npm's bundled dependency tree. | ai | |
| phantom-deps | phantom-dep:lodash._bindcallback | AI (phantom-deps): Listed in bundleDependencies; used transitively within npm's bundled dependency tree. | ai | |
| dependencies | unvetted-dep:JSONStream | AI (dependencies): JSONStream is a standard npm CLI dependency for streaming JSON parsing; stable constraint ^1.3.5. | ai | |
| phantom-deps | phantom-dep:sha | AI (phantom-deps): Listed in bundleDependencies; used transitively within npm's bundled dependency tree, not directly imported. | ai | |
| phantom-deps | phantom-dep:unpipe | AI (phantom-deps): Listed in bundleDependencies; used transitively within npm's bundled dependency tree. | ai | |
| phantom-deps | phantom-dep:node-gyp | AI (phantom-deps): node-gyp is a known implicit/runtime dependency of npm; invoked as a subprocess, not directly imported. | ai | |
| phantom-deps | phantom-dep:lazy-property | AI (phantom-deps): Listed in bundleDependencies; used transitively within npm's bundled dependency tree. | ai | |
| source-diff | obfuscated-file:node_modules/diff/lib/patch/create.js | AI (source-diff): Babel-transpiled output from the bundled 'diff' package with istanbul coverage markers. Long lines are helper functions, not obfuscation. Stable false positive for npm CLI's bundled deps. | ai | |
| source-diff | net-exec-file:node_modules/abort-controller/dist/abort-controller.umd.js | AI (source-diff): Standard UMD wrapper from abort-controller; bundled dependency of npm CLI. Not malware. | ai | |
| dependencies | unvetted-dep:sorted-object | AI (dependencies): sorted-object is a legitimate utility bundled by npm. Not a risk. | ai | |
| dependencies | unvetted-dep:editor | AI (dependencies): editor is a legitimate, well-known utility bundled by npm. Not a risk. | ai | |
| dependencies | unvetted-dep:byte-size | AI (dependencies): byte-size is a legitimate utility for formatting byte sizes used in npm's output display; not a risk for this package. | ai | |
| source-diff | obfuscated-file:node_modules/diff/lib/patch/apply.js | AI (source-diff): Bundled transpiled/minified library code; standard build artifact from diff package. | ai | |
| source-diff | obfuscated-file:node_modules/diff/lib/diff/base.js | AI (source-diff): Bundled transpiled/minified library code; standard build artifact from diff package. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from lukekarrys to gar is legitimate team transition; gar has 1649 approved packages. | ai | |
| dependencies | unvetted-dep:libnpx | AI (dependencies): libnpx is an official npm Inc. package bundled with the npm CLI. | ai | |
| dependencies | unvetted-dep:libnpm | AI (dependencies): libnpm is an official npm Inc. package; unvetted status is a registry gap, not a security concern for the npm CLI itself. | ai | |
| dependencies | unvetted-dep:libcipm | AI (dependencies): libcipm is an official npm Inc. package bundled with the npm CLI. | ai | |
| dependencies | unvetted-dep:read-package-json | AI (dependencies): read-package-json is npm's package.json parser; bundled core dependency. | ai | |
| dependencies | unvetted-dep:readdir-scoped-modules | AI (dependencies): npm ecosystem utility package bundled with npm CLI. Legitimate and expected dependency for a package manager. | ai | |
| dependencies | unvetted-dep:mkdirp-infer-owner | AI (dependencies): npm ecosystem utility package bundled with npm CLI. Legitimate and expected dependency for a package manager. | ai | |
| dependencies | unvetted-dep:@npmcli/ci-detect | AI (dependencies): First-party @npmcli package, bundled with npm CLI. Legitimate dependency of the npm package manager itself. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect used for proxy-based command dispatch, not malicious obfuscation. | ai | |
| semgrep | semgrep:obfuscation-global-buffer | AI (semgrep): Known npm easter egg (birthday message); not malicious obfuscation. | ai | |
| semgrep | semgrep:npmrc-access | AI (semgrep): Accessing .npmrc is expected for npm configuration and auth token management. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): term-size binaries are prebuilt native modules for terminal detection; expected for npm. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer additions (reggi, hashtagchris, owlstronaut) reflect legitimate team expansion in active npm CLI project. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Environment variable enumeration in config.js is expected for proxy/config handling in package managers. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer removals (fritzy, lukekarrys) are consistent with normal team transitions in large projects. | ai | |
| dependencies | unvetted-dep:cli-columns | AI (dependencies): cli-columns is a well-known utility used by the npm CLI for formatting output; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@npmcli/arborist | AI (dependencies): @npmcli/arborist is a core first-party npm CLI dependency maintained by the same GitHub/npm team; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:libnpmexec | AI (dependencies): libnpmexec is a first-party npm CLI dependency maintained by the same GitHub/npm team; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:libnpmhook | AI (dependencies): libnpmhook is a first-party npm CLI dependency maintained by the same GitHub/npm team; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:pacote | AI (dependencies): pacote is a core npm ecosystem package for package fetching; legitimate dependency for npm. | ai | |
| dependencies | unvetted-dep:@npmcli/config | AI (dependencies): @npmcli/config is an internal npm CLI dependency; unvetted status is expected. | ai | |
| dependencies | unvetted-dep:ini | AI (dependencies): ini is a standard npm CLI dependency for .npmrc parsing; stable constraint ^1.3.8. | ai | |
| dependencies | unvetted-dep:@npmcli/run-script | AI (dependencies): @npmcli/run-script is an internal npm CLI dependency; unvetted status is expected. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 388 new files reflect bundled dependencies (path-scurry, lru-cache) listed in bundleDependencies; expected for monorepo. | ai | |
| dependencies | unvetted-dep:spdx-expression-parse | AI (dependencies): spdx-expression-parse is a standard SPDX license expression parser; legitimate dependency for npm's license handling. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is not yet standard for npm CLI; package is published by trusted npm organization. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): child_process.spawn in edit.js spawns user-configured editors; legitimate npm feature for package.json editing. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding of HTTP Basic auth credentials is expected in package manager handling npm authentication. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is used for spawning editors and system commands in npm's config and edit commands; documented functionality. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in CLI command loader is standard pattern for pluggable command architecture; stable for npm CLI. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): npm is the canonical package manager name, not a typosquat. Levenshtein distance to pg is incidental. | ai |
Versions (showing 51 of 147)
| Version | Deps | Published |
|---|---|---|
| 11.16.0 | 65 / 20 | |
| 11.15.0 | 65 / 20 | |
| 11.14.1 | 65 / 20 | |
| 11.14.0 | 65 / 20 | |
| 11.13.0 | 65 / 20 | |
| 11.12.0 | 65 / 20 | |
| 11.11.1 | 65 / 20 | |
| 11.11.0 | 65 / 20 | |
| 11.10.1 | 65 / 20 | |
| 11.10.0 | 66 / 20 | |
| 11.9.0 | 66 / 20 | |
| 11.8.0 | 66 / 20 | |
| 11.7.0 | 66 / 20 | |
| 11.6.4 | 66 / 20 | |
| 11.6.3 | 66 / 20 | |
| 11.6.2 | 65 / 20 | |
| 11.6.1 | 66 / 20 | |
| 11.6.0 | 66 / 20 | |
| 11.5.2 | 66 / 20 | |
| 11.5.1 | 66 / 20 | |
| 11.5.0 | 66 / 20 | |
| 11.4.2 | 66 / 20 | |
| 11.4.1 | 66 / 20 | |
| 11.4.0 | 66 / 20 | |
| 11.3.0 | 66 / 20 | |
| 11.2.0 | 66 / 20 | |
| 11.1.0 | 66 / 20 | |
| 11.0.0 | 66 / 20 | |
| 10.9.4 | 68 / 20 | |
| 10.9.3 | 68 / 20 | |
| 10.9.2 | 68 / 20 | |
| 10.9.1 | 68 / 20 | |
| 10.9.0 | 68 / 20 | |
| 10.8.3 | 68 / 20 | |
| 10.8.2 | 68 / 20 | |
| 10.8.1 | 68 / 20 | |
| 10.8.0 | 68 / 20 | |
| 10.7.0 | 68 / 20 | |
| 10.6.0 | 69 / 20 | |
| 10.5.2 | 71 / 19 | |
| 10.5.1 | 71 / 19 | |
| 10.5.0 | 70 / 19 | |
| 10.4.0 | 70 / 19 | |
| 10.3.0 | 71 / 19 | |
| 10.2.5 | 71 / 19 | |
| 10.2.4 | 71 / 19 | |
| 10.2.3 | 71 / 19 | |
| 10.2.2 | 71 / 19 | |
| 10.2.1 | 71 / 19 | |
| 10.2.0 | 71 / 19 | |
| 10.1.0 | 68 / 16 |
v11.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.14.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.12.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.
v11.11.1
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.
v11.11.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-25. This could indicate a legitimate maintainer transition or an account compromise.
v11.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.10.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.
v11.9.0
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-04. This could indicate a legitimate maintainer transition or an account compromise.
v11.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.6.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.6.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-19. This could indicate a legitimate maintainer transition or an account compromise.
v11.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.6.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-24. This could indicate a legitimate maintainer transition or an account compromise.
v11.6.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-03. This could indicate a legitimate maintainer transition or an account compromise.
v11.5.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-07-30. This could indicate a legitimate maintainer transition or an account compromise.
v11.5.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-07-24. This could indicate a legitimate maintainer transition or an account compromise.
v11.5.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-07-24. This could indicate a legitimate maintainer transition or an account compromise.
v11.4.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v11.4.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-05-21. This could indicate a legitimate maintainer transition or an account compromise.
v11.4.0
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-05-15. This could indicate a legitimate maintainer transition or an account compromise.
v11.3.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-04-08. This could indicate a legitimate maintainer transition or an account compromise.
v11.2.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v11.1.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v11.0.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v10.9.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-30. This could indicate a legitimate maintainer transition or an account compromise.
v10.9.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v10.9.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v10.9.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v10.9.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v10.8.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v10.8.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v10.8.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v10.8.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-05-15. This could indicate a legitimate maintainer transition or an account compromise.
v10.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.5.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-04-03. This could indicate a legitimate maintainer transition or an account compromise.
v10.5.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v10.4.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v10.3.0
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-01-10. This could indicate a legitimate maintainer transition or an account compromise.
v10.2.5
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-12-06. This could indicate a legitimate maintainer transition or an account compromise.
v10.2.4
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-11-15. This could indicate a legitimate maintainer transition or an account compromise.
v10.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.1
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-10-18. This could indicate a legitimate maintainer transition or an account compromise.
v10.2.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-10-03. This could indicate a legitimate maintainer transition or an account compromise.
v10.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-09-08. This could indicate a legitimate maintainer transition or an account compromise.