q
A library for promises (CommonJS/Promises/A,B,D)
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:collections | AI (dependencies): collections is a sibling package by the same author (kriskowal) and is a legitimate, documented runtime dependency of [email protected]. Not a supply-chain risk. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase in early q versions is due to addition of test suites and examples, not bundled payloads. Consistent with the package's known development history. | ai | |
| source-diff | large-new-source-files | AI (source-diff): q is a foundational promises library; early versions grew rapidly with tests and examples. File count growth reflects legitimate organic development, not injected code. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance by many years; absence of attestation is expected and not a risk signal for this package. | ai | |
| provenance | publisher-changed | AI (provenance): Domenic Denicola is a documented contributor to q and a legitimate co-maintainer; this 2013 transition is well-known and not a compromise signal. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Domenic is listed as a contributor in package.json and is a well-established npm publisher; the maintainer addition is legitimate. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): event-queue and test are legitimate deps for this era's promise library; consistent with q's documented design and test infrastructure. | ai | |
| semgrep | semgrep:etc-passwd-access | AI (semgrep): /etc/passwd access is in examples/step2.js as a canonical file-reading demo for the promise API — not credential harvesting. | ai | |
| phantom-deps | phantom-dep:event-queue | AI (phantom-deps): Phantom dependency pattern is normal for test/build config references; not a security concern for this established package. | ai | |
| phantom-deps | phantom-dep:test | AI (phantom-deps): Test dependency referenced in test script and directory config; standard pattern, already marked accepted by analyzer. | ai | |
| dependencies | unvetted-dep:test | AI (dependencies): The test package is a dev/test-only dependency misclassified as runtime in this very old package version; benign historical packaging artifact. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): [email protected] is the legitimate historical initial release of Kris Kowal's well-known promises library, published ~15 years ago. The 0.0.0 version is not indicative of malicious intent here. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): The new Function() call is a one-line ES6 generator feature-detection probe wrapped in try/catch. It compiles a static string literal with no external input — a well-known benign capability-detection pattern. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): q is a long-established, well-known promises library; single-char name makes levenshtein matches to other packages unavoidable and meaningless. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Same rationale: q is a canonical package name, not a typosquat of qs. | ai |
Versions (showing 51 of 74)
| Version | Deps | Published |
|---|---|---|
| 2.0.3 | 3 / 13 | |
| 2.0.2 | 2 / 13 | |
| 2.0.1 | 2 / 13 | |
| 2.0.0 | 2 / 13 | |
| 1.5.1 | 0 / 9 | |
| 1.5.0 | 0 / 9 | |
| 1.4.1 | 0 / 9 | |
| 1.4.0 | 0 / 9 | |
| 1.3.0 | 0 / 9 | |
| 1.2.1 | 0 / 9 | |
| 1.2.0 | 0 / 9 | |
| 1.1.2 | 0 / 9 | |
| 1.1.1 | 0 / 9 | |
| 1.1.0 | 0 / 9 | |
| 1.0.1 | 0 / 9 | |
| 1.0.0 | 0 / 9 | |
| 0.9.7 | 0 / 9 | |
| 0.9.6 | 0 / 8 | |
| 0.9.5 | 0 / 8 | |
| 0.9.3 | 0 / 5 | |
| 0.9.2 | 0 / 5 | |
| 0.9.1 | 0 / 5 | |
| 0.9.0 | 0 / 5 | |
| 0.8.12 | 0 / 5 | |
| 0.8.11 | 0 / 4 | |
| 0.8.10 | 0 / 4 | |
| 0.8.9 | 0 / 4 | |
| 0.8.8 | 0 / 4 | |
| 0.8.7 | 0 / 4 | |
| 0.8.6 | 0 / 3 | |
| 0.8.5 | 0 / 2 | |
| 0.8.4 | 0 / 2 | |
| 0.8.3 | 0 / 2 | |
| 0.8.2 | 1 / 1 | |
| 0.8.1 | 1 / 1 | |
| 0.8.0 | 1 / 1 | |
| 0.7.2 | 1 / 2 | |
| 0.7.1 | 1 / 2 | |
| 0.7.0 | 2 / 1 | |
| 0.6.0 | 2 / 1 | |
| 0.5.3 | 2 / 1 | |
| 0.5.2 | 2 / 1 | |
| 0.5.1 | 2 / 1 | |
| 0.5.0 | 2 / 1 | |
| 0.4.4 | 2 / 1 | |
| 0.4.2 | 2 / 0 | |
| 0.4.1 | 2 / 0 | |
| 0.4.0 | 2 / 0 | |
| 0.3.0 | 2 / 0 | |
| 0.2.10 | 2 / 0 | |
| 0.2.9 | 2 / 0 |
v2.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.3
2 findingsThis version was published by a different npm account than previous versions on 2013-04-15. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.2
2 findingsThis version was published by a different npm account than previous versions on 2013-03-10. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
2 findingsThis version was published by a different npm account than previous versions on 2013-03-07. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.12
2 findingsThis version was published by a different npm account than previous versions on 2012-12-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.4
4 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 7 | return [ 8 | FS.read(__filename), > 9 | FS.read("/etc/passwd") 10 | ]; 11 | },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 12 | function (self, passwd) { 13 | console.log(__filename + ':', self.length); > 14 | console.log('/etc/passwd:', passwd.length); 15 | } 16 | );
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 5 | Q.when(Q.deep({ 6 | "self": FS.read(__filename), > 7 | "passwd": FS.read("/etc/passwd") 8 | })).then(function (texts) { 9 | console.log(__filename + ":" + texts.self.length);
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.3
4 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 7 | return [ 8 | FS.read(__filename), > 9 | FS.read("/etc/passwd") 10 | ]; 11 | },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 12 | function (self, passwd) { 13 | console.log(__filename + ':', self.length); > 14 | console.log('/etc/passwd:', passwd.length); 15 | } 16 | );
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 5 | Q.when(Q.deep({ 6 | "self": FS.read(__filename), > 7 | "passwd": FS.read("/etc/passwd") 8 | })).then(function (texts) { 9 | console.log(__filename + ":" + texts.self.length);
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.2
4 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 7 | return [ 8 | FS.read(__filename), > 9 | FS.read("/etc/passwd") 10 | ]; 11 | },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 12 | function (self, passwd) { 13 | console.log(__filename + ':', self.length); > 14 | console.log('/etc/passwd:', passwd.length); 15 | } 16 | );
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 5 | Q.when(Q.deep({ 6 | "self": FS.read(__filename), > 7 | "passwd": FS.read("/etc/passwd") 8 | })).then(function (texts) { 9 | console.log(__filename + ":" + texts.self.length);
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.1
4 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 7 | return [ 8 | FS.read(__filename), > 9 | FS.read("/etc/passwd") 10 | ]; 11 | },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 12 | function (self, passwd) { 13 | console.log(__filename + ':', self.length); > 14 | console.log('/etc/passwd:', passwd.length); 15 | } 16 | );
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 5 | Q.when(Q.deep({ 6 | "self": FS.read(__filename), > 7 | "passwd": FS.read("/etc/passwd") 8 | })).then(function (texts) { 9 | console.log(__filename + ":" + texts.self.length);
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
4 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 7 | return [ 8 | FS.read(__filename), > 9 | FS.read("/etc/passwd") 10 | ]; 11 | },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 12 | function (self, passwd) { 13 | console.log(__filename + ':', self.length); > 14 | console.log('/etc/passwd:', passwd.length); 15 | } 16 | );
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 5 | Q.when(Q.deep({ 6 | "self": FS.read(__filename), > 7 | "passwd": FS.read("/etc/passwd") 8 | })).then(function (texts) { 9 | console.log(__filename + ":" + texts.self.length);
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.2
4 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 7 | return [ 8 | FS.read(__filename), > 9 | FS.read("/etc/passwd") 10 | ]; 11 | },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 12 | function (self, passwd) { 13 | console.log(__filename + ':', self.length); > 14 | console.log('/etc/passwd:', passwd.length); 15 | } 16 | );
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 5 | Q.when(Q.deep({ 6 | "self": FS.read(__filename), > 7 | "passwd": FS.read("/etc/passwd") 8 | })).then(function (texts) { 9 | console.log(__filename + ":" + texts.self.length);
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
4 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 7 | return [ 8 | FS.read(__filename), > 9 | FS.read("/etc/passwd") 10 | ]; 11 | },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 12 | function (self, passwd) { 13 | console.log(__filename + ':', self.length); > 14 | console.log('/etc/passwd:', passwd.length); 15 | } 16 | );
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 5 | Q.when(Q.deep({ 6 | "self": FS.read(__filename), > 7 | "passwd": FS.read("/etc/passwd") 8 | })).then(function (texts) { 9 | console.log(__filename + ":" + texts.self.length);
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.