npm-registry-client
Client for the npm registry
25
Versions
ISC
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
iarnaisaacsothiym23zkat
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Missing provenance is a best-practice gap, not a security defect; stable for this mature package. | ai | |
| phantom-deps | phantom-dep:rimraf | AI (phantom-deps): rimraf is legitimately declared and used indirectly in build/CLI context; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:chownr | AI (phantom-deps): chownr is legitimately declared and used indirectly in build/CLI context; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:mkdirp | AI (phantom-deps): mkdirp is legitimately declared and used indirectly in build/CLI context; stable pattern for this package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Added maintainers (zkat, isaacs, othiym23) are well-known npm core contributors; this reflects the historical npm team roster, not a suspicious takeover. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is used to load the client's own bundled API method files from a known directory — a stable architectural pattern in this package, not user-controlled input. | ai | |
| email-domain | unclaimed-email:aoaioxxysz.net | AI (email-domain): This is a historical maintainer email (ogd/isaacs) not the active publisher. Package is under the official npm GitHub org and published by zkat. Domain squatting risk is low given active npm-org stewardship. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): ssri is a legitimate npm-org package for subresource integrity checking, entirely appropriate for an npm registry client. Not a suspicious dependency addition. | ai | |
| dependencies | unvetted-dep:request | AI (dependencies): request is a long-standing HTTP library dependency in this package; not a new or suspicious addition. | ai | |
| phantom-deps | phantom-dep:graceful-fs | AI (phantom-deps): graceful-fs is a legitimate declared dependency used transitively/conditionally in this registry client; not a security concern. | ai | |
| provenance | publisher-changed | AI (provenance): The zkat → iarna transition in 2018 was a legitimate maintainer handoff within the npm org. iarna is a well-established publisher; this is not a compromise signal. | ai | |
| bogus-package | bogus-package | AI (bogus-package): isaacs is Isaac Z. Schlueter, creator of npm — the spam flag is a false positive. No-keywords signal is trivial for this well-known package. | ai | |
| phantom-deps | phantom-dep:safe-buffer | AI (phantom-deps): safe-buffer is a legitimate declared dependency for Buffer compatibility; not a security concern. | ai |
Versions (showing 25 of 125)
| Version | Deps | Published |
|---|---|---|
| 0.2.11 | 10 / 1 | |
| 0.2.10 | 10 / 1 | |
| 0.2.9 | 10 / 1 | |
| 0.2.8 | 10 / 1 | |
| 0.2.7 | 10 / 1 | |
| 0.2.6 | 10 / 1 | |
| 0.2.5 | 10 / 1 | |
| 0.2.1 | 11 / 1 | |
| 0.2.0 | 11 / 1 | |
| 0.1.4 | 11 / 1 | |
| 0.1.3 | 11 / 1 | |
| 0.1.2 | 11 / 1 | |
| 0.1.1 | 11 / 1 | |
| 0.1.0 | 11 / 1 | |
| 0.0.11 | 11 / 1 | |
| 0.0.10 | 11 / 1 | |
| 0.0.9 | 11 / 1 | |
| 0.0.8 | 10 / 1 | |
| 0.0.7 | 9 / 1 | |
| 0.0.6 | 9 / 1 | |
| 0.0.5 | 9 / 1 | |
| 0.0.4 | 9 / 1 | |
| 0.0.3 | 9 / 1 | |
| 0.0.2 | 9 / 1 | |
| 0.0.1 | 9 / 1 |