path-utils
Path extras and utilities to extend the Node.js path module.
2
Versions
—
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
doowbjonschlinkert
Keywords
file systemfilefsnodenode.jspathutils
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): jonschlinkert is a well-known collaborator in the assemble/grunt ecosystem alongside doowb; this addition is a legitimate collaboration, not a suspicious takeover. | ai | |
| phantom-deps | phantom-dep:async | AI (phantom-deps): Older utility package lists deps for build/config tooling rather than direct runtime imports; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:mkdirp | AI (phantom-deps): Same as async — declared for build tooling context, not a security concern for this package. | ai | |
| phantom-deps | phantom-dep:rimraf | AI (phantom-deps): Same as async — declared for build tooling context, not a security concern for this package. | ai | |
| phantom-deps | phantom-dep:globule | AI (phantom-deps): Same as async — declared for build tooling context, not a security concern for this package. | ai | |
| phantom-deps | phantom-dep:js-yaml | AI (phantom-deps): Same as async — declared for build tooling context, not a security concern for this package. | ai | |
| phantom-deps | phantom-dep:iconv-lite | AI (phantom-deps): Same as async — declared for build tooling context, not a security concern for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): README style is consistent with early assemble ecosystem packages (circa 2013); link-heavy READMEs were common in that era and do not indicate malicious intent for this established package. | ai |
v0.1.3
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.