npm — Greenflagged

a package manager for JavaScript

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

saquibkhannpm-cli-opsreggiowlstronaut

Keywords

installmodulespackage managerpackage.json

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:node_modules/diff/lib/patch/line-endings.js	AI (source-diff): Babel-transpiled output from the diff library; long lines are from transpiler helpers, not obfuscation.	ai	2026/05/23
source-diff	obfuscated-file:node_modules/@isaacs/cliui/node_modules/emoji-regex/index.js	AI (source-diff): emoji-regex contains long Unicode regex patterns for emoji matching, not obfuscated code. Standard false positive for this package.	ai	2026/04/23
source-diff	obfuscated-file:node_modules/@isaacs/cliui/node_modules/emoji-regex/es2015/index.js	AI (source-diff): emoji-regex contains long Unicode regex patterns for emoji matching, not obfuscated code. Standard false positive for this package.	ai	2026/04/23
source-diff	net-exec-file:node_modules/event-target-shim/dist/event-target-shim.umd.js	AI (source-diff): Standard UMD wrapper from event-target-shim; bundled dependency of npm CLI. Not malware.	ai	2026/04/23
source-diff	obfuscated-file:node_modules/libnpmdiff/node_modules/diff/lib/diff/base.js	AI (source-diff): Bundled diff library; transpiled/minified code is expected for npm CLI dependencies.	ai	2026/04/23
source-diff	obfuscated-file:node_modules/libnpmdiff/node_modules/diff/lib/patch/apply.js	AI (source-diff): Bundled diff library; transpiled/minified code is expected for npm CLI dependencies.	ai	2026/04/23
publish-pattern	new-deps-added	AI (publish-pattern): @npmcli/redact is an internal npm CLI dependency for credential redaction; legitimate addition.	ai	2026/04/23
provenance	missing-githead	AI (provenance): gitHead absence is acceptable for npm CLI; published by trusted gar account with strong track record.	ai	2026/04/23
source-diff	net-exec-file:node_modules/ajv/dist/ajv.bundle.js	AI (source-diff): Bundled minified library (ajv validator); legitimate build artifact, not malware.	ai	2026/04/23
source-diff	net-exec-file:node_modules/ajv/dist/ajv.min.js	AI (source-diff): Bundled minified library (ajv validator); legitimate build artifact, not malware.	ai	2026/04/23
phantom-deps	phantom-dep:lodash._cacheindexof	AI (phantom-deps): Listed in bundleDependencies; used transitively within npm's bundled dependency tree.	ai	2026/04/22
dependencies	unvetted-dep:config-chain	AI (dependencies): config-chain is a standard npm CLI dependency for config file loading; stable constraint ^1.1.12.	ai	2026/04/22
dependencies	unvetted-dep:validate-npm-package-license	AI (dependencies): Validates package.json license fields; legitimate npm utility dependency.	ai	2026/04/22
dependencies	unvetted-dep:request	AI (dependencies): request is a widely-used HTTP library; legitimate for npm's registry communication.	ai	2026/04/22
phantom-deps	phantom-dep:lodash._baseuniq	AI (phantom-deps): Listed in bundleDependencies; used transitively within npm's bundled dependency tree.	ai	2026/04/22
phantom-deps	phantom-dep:lodash.restparam	AI (phantom-deps): Listed in bundleDependencies; used transitively within npm's bundled dependency tree.	ai	2026/04/22
phantom-deps	phantom-dep:lodash._baseindexof	AI (phantom-deps): Listed in bundleDependencies; used transitively within npm's bundled dependency tree.	ai	2026/04/22
phantom-deps	phantom-dep:lodash._createcache	AI (phantom-deps): Listed in bundleDependencies; used transitively within npm's bundled dependency tree.	ai	2026/04/22
phantom-deps	phantom-dep:lodash._bindcallback	AI (phantom-deps): Listed in bundleDependencies; used transitively within npm's bundled dependency tree.	ai	2026/04/22
dependencies	unvetted-dep:JSONStream	AI (dependencies): JSONStream is a standard npm CLI dependency for streaming JSON parsing; stable constraint ^1.3.5.	ai	2026/04/22
phantom-deps	phantom-dep:sha	AI (phantom-deps): Listed in bundleDependencies; used transitively within npm's bundled dependency tree, not directly imported.	ai	2026/04/22
phantom-deps	phantom-dep:unpipe	AI (phantom-deps): Listed in bundleDependencies; used transitively within npm's bundled dependency tree.	ai	2026/04/22
phantom-deps	phantom-dep:node-gyp	AI (phantom-deps): node-gyp is a known implicit/runtime dependency of npm; invoked as a subprocess, not directly imported.	ai	2026/04/22
phantom-deps	phantom-dep:lazy-property	AI (phantom-deps): Listed in bundleDependencies; used transitively within npm's bundled dependency tree.	ai	2026/04/22
source-diff	obfuscated-file:node_modules/diff/lib/patch/create.js	AI (source-diff): Babel-transpiled output from the bundled 'diff' package with istanbul coverage markers. Long lines are helper functions, not obfuscation. Stable false positive for npm CLI's bundled deps.	ai	2026/04/22
source-diff	net-exec-file:node_modules/abort-controller/dist/abort-controller.umd.js	AI (source-diff): Standard UMD wrapper from abort-controller; bundled dependency of npm CLI. Not malware.	ai	2026/04/22
dependencies	unvetted-dep:sorted-object	AI (dependencies): sorted-object is a legitimate utility bundled by npm. Not a risk.	ai	2026/04/22
dependencies	unvetted-dep:editor	AI (dependencies): editor is a legitimate, well-known utility bundled by npm. Not a risk.	ai	2026/04/22
dependencies	unvetted-dep:byte-size	AI (dependencies): byte-size is a legitimate utility for formatting byte sizes used in npm's output display; not a risk for this package.	ai	2026/04/22
source-diff	obfuscated-file:node_modules/diff/lib/patch/apply.js	AI (source-diff): Bundled transpiled/minified library code; standard build artifact from diff package.	ai	2026/04/22
source-diff	obfuscated-file:node_modules/diff/lib/diff/base.js	AI (source-diff): Bundled transpiled/minified library code; standard build artifact from diff package.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): Publisher change from lukekarrys to gar is legitimate team transition; gar has 1649 approved packages.	ai	2026/04/22
dependencies	unvetted-dep:libnpx	AI (dependencies): libnpx is an official npm Inc. package bundled with the npm CLI.	ai	2026/04/22
dependencies	unvetted-dep:libnpm	AI (dependencies): libnpm is an official npm Inc. package; unvetted status is a registry gap, not a security concern for the npm CLI itself.	ai	2026/04/22
dependencies	unvetted-dep:libcipm	AI (dependencies): libcipm is an official npm Inc. package bundled with the npm CLI.	ai	2026/04/22
dependencies	unvetted-dep:read-package-json	AI (dependencies): read-package-json is npm's package.json parser; bundled core dependency.	ai	2026/04/22
dependencies	unvetted-dep:readdir-scoped-modules	AI (dependencies): npm ecosystem utility package bundled with npm CLI. Legitimate and expected dependency for a package manager.	ai	2026/04/22
dependencies	unvetted-dep:mkdirp-infer-owner	AI (dependencies): npm ecosystem utility package bundled with npm CLI. Legitimate and expected dependency for a package manager.	ai	2026/04/22
dependencies	unvetted-dep:@npmcli/ci-detect	AI (dependencies): First-party @npmcli package, bundled with npm CLI. Legitimate dependency of the npm package manager itself.	ai	2026/04/22
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect used for proxy-based command dispatch, not malicious obfuscation.	ai	2026/04/22
semgrep	semgrep:obfuscation-global-buffer	AI (semgrep): Known npm easter egg (birthday message); not malicious obfuscation.	ai	2026/04/22
semgrep	semgrep:npmrc-access	AI (semgrep): Accessing .npmrc is expected for npm configuration and auth token management.	ai	2026/04/22
npm-metadata	bundled-binaries	AI (npm-metadata): term-size binaries are prebuilt native modules for terminal detection; expected for npm.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): Maintainer additions (reggi, hashtagchris, owlstronaut) reflect legitimate team expansion in active npm CLI project.	ai	2026/04/22
semgrep	semgrep:env-bulk-read	AI (semgrep): Environment variable enumeration in config.js is expected for proxy/config handling in package managers.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): Maintainer removals (fritzy, lukekarrys) are consistent with normal team transitions in large projects.	ai	2026/04/22
dependencies	unvetted-dep:cli-columns	AI (dependencies): cli-columns is a well-known utility used by the npm CLI for formatting output; stable false positive for this package.	ai	2026/04/22
dependencies	unvetted-dep:@npmcli/arborist	AI (dependencies): @npmcli/arborist is a core first-party npm CLI dependency maintained by the same GitHub/npm team; stable false positive for this package.	ai	2026/04/22
dependencies	unvetted-dep:libnpmexec	AI (dependencies): libnpmexec is a first-party npm CLI dependency maintained by the same GitHub/npm team; stable false positive for this package.	ai	2026/04/22
dependencies	unvetted-dep:libnpmhook	AI (dependencies): libnpmhook is a first-party npm CLI dependency maintained by the same GitHub/npm team; stable false positive for this package.	ai	2026/04/22
dependencies	unvetted-dep:pacote	AI (dependencies): pacote is a core npm ecosystem package for package fetching; legitimate dependency for npm.	ai	2026/04/22
dependencies	unvetted-dep:@npmcli/config	AI (dependencies): @npmcli/config is an internal npm CLI dependency; unvetted status is expected.	ai	2026/04/22
dependencies	unvetted-dep:ini	AI (dependencies): ini is a standard npm CLI dependency for .npmrc parsing; stable constraint ^1.3.8.	ai	2026/04/22
dependencies	unvetted-dep:@npmcli/run-script	AI (dependencies): @npmcli/run-script is an internal npm CLI dependency; unvetted status is expected.	ai	2026/04/22
source-diff	large-new-source-files	AI (source-diff): 388 new files reflect bundled dependencies (path-scurry, lru-cache) listed in bundleDependencies; expected for monorepo.	ai	2026/04/22
dependencies	unvetted-dep:spdx-expression-parse	AI (dependencies): spdx-expression-parse is a standard SPDX license expression parser; legitimate dependency for npm's license handling.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Provenance attestation is not yet standard for npm CLI; package is published by trusted npm organization.	ai	2026/04/22
semgrep	semgrep:child-process-spawn	AI (semgrep): child_process.spawn in edit.js spawns user-configured editors; legitimate npm feature for package.json editing.	ai	2026/04/22
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding of HTTP Basic auth credentials is expected in package manager handling npm authentication.	ai	2026/04/22
semgrep	semgrep:child-process-import	AI (semgrep): child_process is used for spawning editors and system commands in npm's config and edit commands; documented functionality.	ai	2026/04/22
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require in CLI command loader is standard pattern for pluggable command architecture; stable for npm CLI.	ai	2026/04/22
typosquat	typosquat.levenshtein:pg	AI (typosquat): npm is the canonical package manager name, not a typosquat. Levenshtein distance to pg is incidental.	ai	2026/04/21