object-inspect
string representations of objects in node and the browser
39
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
ljharbemilbayes
Keywords
inspectutil.inspectobjectstringifypretty
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-takeover | AI (maintainer-change): Known legitimate transfer from substack to ljharb/inspect-js org; repo URL confirms the transfer. ljharb is a well-established npm maintainer with a long track record. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Diff is against v1.4.0 (very old); 23 new files reflect legitimate package growth over many versions, not injected code. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): substack's removal is part of the documented transfer to ljharb/inspect-js; not a hijack. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): object-inspect 0.0.0 is a legitimate early-era npm package by substack, published 12+ years ago. Version 0.0.0 reflects old npm conventions, not malicious intent. | ai | |
| provenance | publisher-changed | AI (provenance): Well-documented transfer from substack to ljharb; ljharb is a trusted maintainer who now maintains the inspect-js org. This is a stable historical fact for this package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): ljharb and emilbayes are legitimate maintainers added as part of the known substack→ljharb transfer. Stable for this package. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase from 4KB to 43KB is explained by addition of test files, eslint config, and dev tooling infrastructure — not injected payload. Stable for this package. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance on npm by many years; absence of attestation is expected and not a risk signal for this package. | ai | |
| phantom-deps | phantom-dep:tape | AI (phantom-deps): tape is a test runner used only in test scripts; it's a phantom dep due to being in dependencies instead of devDependencies, a common pattern in older packages. No security risk. | ai |
Versions (showing 39 of 39)
| Version | Deps | Published |
|---|---|---|
| 1.13.4 | 0 / 24 | |
| 1.13.3 | 0 / 23 | |
| 1.13.2 | 0 / 23 | |
| 1.13.1 | 0 / 21 | |
| 1.13.0 | 0 / 21 | |
| 1.12.3 | 0 / 19 | |
| 1.12.2 | 0 / 17 | |
| 1.12.1 | 0 / 17 | |
| 1.12.0 | 0 / 15 | |
| 1.11.1 | 0 / 13 | |
| 1.11.0 | 0 / 11 | |
| 1.10.3 | 0 / 11 | |
| 1.10.2 | 0 / 11 | |
| 1.10.1 | 0 / 11 | |
| 1.10.0 | 0 / 11 | |
| 1.9.0 | 0 / 9 | |
| 1.8.0 | 0 / 9 | |
| 1.7.0 | 0 / 5 | |
| 1.6.0 | 0 / 3 | |
| 1.5.0 | 0 / 3 | |
| 1.4.1 | 0 / 3 | |
| 1.4.0 | 0 / 3 | |
| 1.3.0 | 0 / 2 | |
| 1.2.2 | 0 / 1 | |
| 1.2.1 | 0 / 1 | |
| 1.2.0 | 0 / 1 | |
| 1.1.0 | 0 / 1 | |
| 1.0.2 | 0 / 1 | |
| 1.0.1 | 0 / 1 | |
| 1.0.0 | 0 / 1 | |
| 0.4.0 | 0 / 1 | |
| 0.3.1 | 0 / 1 | |
| 0.3.0 | 0 / 1 | |
| 0.2.0 | 0 / 1 | |
| 0.1.3 | 1 / 0 | |
| 0.1.2 | 1 / 0 | |
| 0.1.1 | 1 / 0 | |
| 0.1.0 | 0 / 0 | |
| 0.0.0 | 0 / 0 |