npm-packlist ISC 7 versions

npm-packlist

npm Repository Homepage

Get a list of the files to add from a folder into an npm package

7

Versions

ISC

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

saquibkhannpm-cli-opsreggiowlstronaut

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): npm-cli-ops is the official npm CLI ops account; routine team rotation.	ai	2026/05/18
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers are known npm CLI team members.	ai	2026/05/18
maintainer-change	maintainer-removed	AI (maintainer-change): Removed maintainers reflect normal npm CLI team turnover.	ai	2026/05/18
publish-pattern	dormant-publish	AI (publish-pattern): Major version bump after period of stability; normal for npm CLI packages.	ai	2026/05/18
dependencies	unvetted-dep:ignore-walk	AI (dependencies): ignore-walk is an official npm org package (github.com/npm/ignore-walk) and a long-standing dependency of npm-packlist; not a risk for this package.	ai	2026/04/21

Versions (showing 7 of 7)

Version	Deps	Published
11.1.0	3 / 5	2026-05-22
11.0.0	3 / 5	2026-05-15
10.0.4	2 / 5	2026-02-20
10.0.3	2 / 5	2025-10-23
10.0.2	2 / 5	2025-09-22
10.0.1	1 / 5	2025-07-24
5.1.3	4 / 4	2022-08-25

v11.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.0.3

2 findings

HIGH Publisher changed: lukekarrys → GitHub Actions (on 2025-10-23) provenance

This version was published by a different npm account than previous versions on 2025-10-23. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.0.2

2 findings

HIGH Publisher changed: lukekarrys → GitHub Actions (on 2025-09-22) provenance

This version was published by a different npm account than previous versions on 2025-09-22. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.0.1

2 findings

HIGH Publisher changed: lukekarrys → npm-cli-ops (on 2025-07-24) provenance

This version was published by a different npm account than previous versions on 2025-07-24. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.1.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.