← Home

pacote

npm Repository Homepage

JavaScript package downloader

100
Versions
ISC
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

garsaquibkhannpm-cli-opsreggihashtagchrisowlstronaut

Keywords

packagesnpmgit

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): npm org packages now publish via GitHub Actions CI/CD with SLSA provenance; this is the expected publisher for all future npm CLI packages. ai
semgrep semgrep:env-spread AI (semgrep): pacote spawns npm install for git deps and must pass the parent environment; standard subprocess invocation pattern. ai
semgrep semgrep:base64-decode AI (semgrep): Decodes DSSE envelope payloads from Sigstore attestations; base64 is the canonical encoding per the DSSE spec. ai
semgrep semgrep:child-process-import AI (semgrep): pacote is a git-aware package fetcher; importing child_process to run git commands is core, documented functionality across all versions. ai
semgrep semgrep:child-process-spawn AI (semgrep): Spawning the git binary is the intended mechanism for pacote's git dependency support; stable and expected across all versions. ai
semgrep semgrep:env-bulk-read AI (semgrep): process.env enumeration in git.js is used to filter safe env vars for git subprocess — a security-conscious allowlist pattern, not malicious. Stable for this package. ai

Versions (showing 100 of 231)

Version Deps Published
10.3.0 20 / 4
10.2.1 19 / 4
10.2.0 19 / 4
10.1.6 19 / 4
10.1.5 19 / 4
10.1.4 19 / 4
10.1.3 19 / 4
10.1.2 20 / 3
10.1.1 19 / 3
10.1.0 19 / 3
10.0.0 19 / 3
9.5.12 30 / 11
9.5.11 30 / 11
9.5.10 29 / 11
9.5.9 29 / 11
9.5.8 29 / 11
9.5.7 29 / 11
9.5.6 29 / 11
9.5.5 28 / 11
9.5.4 27 / 11
9.5.3 27 / 11
9.5.2 27 / 11
9.5.1 27 / 11
9.5.0 27 / 11
9.4.1 27 / 11
9.4.0 27 / 11
9.3.0 27 / 11
9.2.3 27 / 11
9.2.1 27 / 11
9.2.0 27 / 11
9.1.1 27 / 11
9.1.0 27 / 11
9.0.0 27 / 11
8.1.6 25 / 11
8.1.5 25 / 11
8.1.4 25 / 11
8.1.3 25 / 11
8.1.2 25 / 11
8.1.1 24 / 11
8.1.0 24 / 11
8.0.0 24 / 11
7.6.1 24 / 11
7.6.0 24 / 11
7.5.3 24 / 11
7.5.2 24 / 11
7.5.1 24 / 11
7.5.0 24 / 11
7.4.2 24 / 11
7.4.1 22 / 13
7.4.0 22 / 13
7.3.3 22 / 13
7.3.2 22 / 13
7.3.1 22 / 13
7.3.0 22 / 13
7.2.0 22 / 13
7.1.1 22 / 13
7.1.0 22 / 13
7.0.2 22 / 13
7.0.1 22 / 13
7.0.0 22 / 13
6.1.0 21 / 13
6.0.4 21 / 13
6.0.3 21 / 13
6.0.2 21 / 13
6.0.1 21 / 13
6.0.0 21 / 13
5.0.1 21 / 13
5.0.0 21 / 13
4.0.0 21 / 12
3.0.0 21 / 12
2.7.38 21 / 12
2.7.37 21 / 12
2.7.36 21 / 12
2.7.35 21 / 12
2.7.34 21 / 12
2.7.33 21 / 12
2.7.32 21 / 12
2.7.31 21 / 12
2.7.30 21 / 12
2.7.29 21 / 12
2.7.28 21 / 12
2.7.27 21 / 12
2.7.26 21 / 12
2.7.25 21 / 12
2.7.24 21 / 12
2.7.23 21 / 12
2.7.22 21 / 12
2.7.21 21 / 12
2.7.20 21 / 12
2.7.19 21 / 12
2.7.18 21 / 12
2.7.17 21 / 12
2.7.16 21 / 12
2.7.15 21 / 12
2.7.14 21 / 12
2.7.13 21 / 12
2.7.12 21 / 12
2.7.11 21 / 12
2.7.10 21 / 12
2.7.9 21 / 12
Showing 100 of 231 Next page →

v8.1.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.