object.map
Similar to map for arrays, this creates a new object by calling the callback on each property of the original object.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): phated (Blaine Bublitz) is a listed contributor and known collaborator in the jonschlinkert ecosystem; legitimate maintainer transition. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): doowb and phated are both listed contributors in package.json and well-known collaborators of jonschlinkert. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Small stable utility; infrequent publishes are normal. No material changes in this version. | ai | |
| provenance | no-provenance | AI (provenance): Published in 2017, before Sigstore provenance existed. | ai |
v1.0.1
2 findingsThis version was published by a different npm account than previous versions on 2017-12-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.