repo-utils
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:parse-git-config | AI (dependencies): parse-git-config is a legitimate, well-known utility from the same jonschlinkert ecosystem, directly relevant to this package's purpose. | ai | |
| provenance | publisher-changed | AI (provenance): doowb (Brian Woodward) is a known jonschlinkert ecosystem collaborator with 1351 approved packages and 4585 days of history. This is a legitimate maintainer transition, not a compromise. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): doowb is a well-established collaborator in the jonschlinkert/Assemble ecosystem; addition is a legitimate handoff, not a suspicious takeover. | ai | |
| phantom-deps | phantom-dep:omit-empty | AI (phantom-deps): Lazy-cache pattern causes phantom-dep false positives for this publisher's packages. Dep is legitimately declared and used indirectly. | ai | |
| phantom-deps | phantom-dep:is-absolute | AI (phantom-deps): Lazy-cache pattern causes phantom-dep false positives for this publisher's packages. Dep is legitimately declared and used indirectly. | ai | |
| phantom-deps | phantom-dep:parse-author | AI (phantom-deps): Lazy-cache pattern causes phantom-dep false positives for this publisher's packages. Dep is legitimately declared and used indirectly. | ai | |
| phantom-deps | phantom-dep:project-name | AI (phantom-deps): Lazy-cache pattern causes phantom-dep false positives for this publisher's packages. Dep is legitimately declared and used indirectly. | ai | |
| phantom-deps | phantom-dep:lazy-cache | AI (phantom-deps): jonschlinkert packages commonly use lazy-cache to lazily require deps; they appear in a cache object rather than top-level imports, causing phantom-dep false positives. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:parse-git-config | AI (phantom-deps): Lazy-cache pattern causes phantom-dep false positives for this publisher's packages. Dep is legitimately declared and used indirectly. | ai | |
| phantom-deps | phantom-dep:parse-github-url | AI (phantom-deps): Lazy-cache pattern causes phantom-dep false positives for this publisher's packages. Dep is legitimately declared and used indirectly. | ai | |
| phantom-deps | phantom-dep:git-config-path | AI (phantom-deps): Lazy-cache pattern causes phantom-dep false positives for this publisher's packages. Dep is legitimately declared and used indirectly. | ai | |
| phantom-deps | phantom-dep:kind-of | AI (phantom-deps): Lazy-cache pattern causes phantom-dep false positives for this publisher's packages. Dep is legitimately declared and used indirectly. | ai | |
| phantom-deps | phantom-dep:mixin-deep | AI (phantom-deps): Lazy-cache pattern causes phantom-dep false positives for this publisher's packages. Dep is legitimately declared and used indirectly. | ai | |
| provenance | no-provenance | AI (provenance): Established package from a trusted publisher; lack of Sigstore provenance is common and not a security risk for this package. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 0.4.1 | 13 / 7 | |
| 0.4.0 | 13 / 8 | |
| 0.3.7 | 12 / 8 | |
| 0.3.6 | 12 / 8 | |
| 0.2.1 | 7 / 9 | |
| 0.2.0 | 7 / 9 | |
| 0.1.1 | 3 / 2 | |
| 0.1.0 | 3 / 2 |
v0.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.7
2 findingsThis version was published by a different npm account than previous versions on 2016-12-02. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.6
2 findingsThis version was published by a different npm account than previous versions on 2016-10-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.