signale — Greenflagged

👋 Hackable console logger

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

klauscfhqklaussinani

Keywords

hackablecolorfulconsolelogger

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	suspicious-initial-version	AI (npm-metadata): signale 0.0.0 is the legitimate initial release from 2908 days ago with 2.8M weekly downloads; version 0.0.0 is not suspicious in this context.	ai	2026/04/24
bogus-package	bogus-package	AI (bogus-package): signale is a well-established package with 2.8M weekly downloads and 6 approved-dep edges; sparse early-version metadata does not indicate spam or low value.	ai	2026/04/24
dependencies	unvetted-dep:figures	AI (dependencies): figures is a well-known sindresorhus package for terminal Unicode symbols; a stable, legitimate dependency for a console logger like signale.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): klauscfhq → klaussinani is a documented personal npm username rebranding by the same author (Klaus Sinani). Repository and author email are consistent with the new identity.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): Same rebranding event; klaussinani is the same person as klauscfhq. Not a third-party takeover.	ai	2026/04/23
provenance	no-provenance	AI (provenance): Package was published in 2019, predating Sigstore/npm provenance attestation. No provenance is expected for releases of this era.	ai	2026/04/23

Versions (showing 4 of 4)

Version	Deps	Published
1.4.0	3 / 1	2019-02-26
1.1.0	3 / 1	2018-05-20
1.0.1	3 / 1	2018-05-16
0.0.0	4 / 1	2018-05-07

v1.4.0

2 findings

HIGH Publisher changed: klauscfhq → klaussinani (on 2019-02-26) provenance

This version was published by a different npm account than previous versions on 2019-02-26. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.