randexp — Greenflagged

Create random strings that match a given regular expression.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

fent

Keywords

regexregexpregular expressionrandomtest

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	source-size-dropped	AI (source-diff): Size drop explained by extraction of regex tokenizer into the 'ret' dependency (also by fent). Standard refactoring pattern, not a stub replacement.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): Publisher change to fent in 2014 is legitimate — fent is the documented author in package.json with matching GitHub repo and homepage. 11-year-old transfer with clean track record.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): fent is the documented author; addition is part of a legitimate 2014 ownership transfer.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of 'neat' is part of the same legitimate 2014 transfer to the documented author fent.	ai	2026/04/22
maintainer-change	maintainer-takeover	AI (maintainer-change): Transfer occurred in 2014 to fent (Roly Fentanes), the documented author of the package. Publisher has 29 approved packages and 0 rejected. Clearly a legitimate historical transition.	ai	2026/04/22
dependencies	unvetted-dep:drange	AI (dependencies): drange is a legitimate range utility replacing discontinuous-range; a natural fit for randexp's regex character range handling. No malicious signals.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): drange replaces discontinuous-range as a cleaner range library; this is a routine dependency modernization by a trusted publisher with no suspicious signals.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Established package published long before Sigstore provenance was available on npm; absence is expected and not a risk signal for this package.	ai	2026/04/21

Versions (showing 20 of 20)

Version	Deps	Published
0.5.3	2 / 9	2018-07-21
0.5.2	2 / 9	2018-02-23
0.5.1	2 / 9	2018-02-11
0.5.0	2 / 9	2018-02-10
0.4.9	2 / 9	2018-02-27
0.4.8	2 / 9	2018-02-15
0.4.7	2 / 9	2018-02-10
0.4.6	2 / 9	2017-08-10
0.4.5	2 / 9	2017-03-03
0.4.4	2 / 9	2016-12-05
0.4.3	2 / 9	2016-07-18
0.4.2	2 / 8	2015-12-02
0.4.1	2 / 8	2015-09-27
0.4.0	2 / 1	2014-09-19
0.3.4	1 / 1	2014-06-28
0.3.3	1 / 1	2013-09-29
0.3.2	1 / 1	2013-07-20
0.3.1	1 / 1	2011-12-31
0.3.0	1 / 1	2011-12-29
0.1.1	0 / 1	2011-12-06