← Home

resolve

npm Repository Homepage

resolve like require.resolve() on behalf of files asynchronously and synchronously

2
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ljharb

Keywords

resolverequirenodemodule

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:path-parse AI (dependencies): path-parse is a well-known, stable utility package widely used in the ecosystem; no security concerns for this dependency in resolve. ai
provenance publisher-changed AI (provenance): Publisher change from substack to ljharb is a well-known legitimate transition; stable for this package. ai
maintainer-change maintainer-takeover AI (maintainer-change): substack→ljharb transition is a well-known, legitimate handoff; ljharb maintains many former substack packages. Stable for this package. ai
maintainer-change maintainer-added AI (maintainer-change): ljharb is the legitimate current maintainer of resolve; this transition is years old and well-documented. ai
maintainer-change maintainer-removed AI (maintainer-change): substack's removal is part of the known legitimate maintainer transition to ljharb. ai
npm-metadata suspicious-initial-version AI (npm-metadata): resolve is a 14+ year old legitimate package with 100 versions; the 0.0.0 version predates modern malicious usage of that version string and is a stable false positive for this package. ai
provenance no-provenance AI (provenance): resolve is a long-established package from a trusted publisher; lack of provenance attestation is not a meaningful risk signal here. ai
phantom-deps phantom-dep:supports-preserve-symlinks-flag AI (phantom-deps): supports-preserve-symlinks-flag is an optional/conditional dependency referenced in config; not directly imported by design. Stable false positive for this package. ai

Versions (showing 2 of 2)

Version Deps Published
1.22.11 3 / 16
1.22.10 3 / 16

v1.22.11

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.22.10

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.