npm-pick-manifest ISC 7 versions

npm-pick-manifest

npm Repository Homepage

Resolves a matching manifest from a package metadata document according to standard npm semver resolution rules.

7

Versions

ISC

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

saquibkhannpm-cli-opsreggiowlstronaut

Keywords

npmsemverpackage manager

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): npm CLI team migrated to publishing via GitHub Actions CI/CD; SLSA provenance confirms legitimate pipeline.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): Routine npm CLI team roster change within the official npm GitHub org.	ai	2026/04/24
maintainer-change	maintainer-removed	AI (maintainer-change): Routine npm CLI team roster change; fritzy departure is a known team transition.	ai	2026/04/24
publish-pattern	dormant-publish	AI (publish-pattern): npm CLI packages have irregular publish cadences; SLSA provenance confirms legitimate CI/CD origin.	ai	2026/04/24
dependencies	unvetted-dep:npm-install-checks	AI (dependencies): npm-install-checks is an official npm org package and an expected dependency of npm-pick-manifest; not a risk signal.	ai	2026/04/21
dependencies	unvetted-dep:npm-normalize-package-bin	AI (dependencies): npm-normalize-package-bin is an official npm org package and an expected dependency of npm-pick-manifest; not a risk signal.	ai	2026/04/21
dependencies	unvetted-dep:npm-package-arg	AI (dependencies): npm-package-arg is an official npm org package and an expected dependency of npm-pick-manifest; not a risk signal.	ai	2026/04/21

Versions (showing 7 of 7)

Version	Deps	Published
12.0.0	4 / 2	2026-05-18
11.0.3	4 / 3	2025-10-23
11.0.2	4 / 3	2025-10-23
11.0.1	4 / 3	2025-09-17
10.0.0	4 / 3	2024-09-26
9.1.0	4 / 3	2024-07-09
9.0.1	4 / 3	2024-05-04

v12.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.0.2

2 findings

HIGH Publisher changed: npm-cli-ops → GitHub Actions (on 2025-10-23) provenance

This version was published by a different npm account than previous versions on 2025-10-23. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.0.1

2 findings

HIGH Publisher changed: npm-cli-ops → GitHub Actions (on 2025-09-17) provenance

This version was published by a different npm account than previous versions on 2025-09-17. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v9.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v9.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.