sirv
The optimized & lightweight middleware for serving requests to static assets
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): lukeed is a highly trusted publisher; missing gitHead is a benign publish-environment change for this package. | ai | |
| dependencies | unvetted-dep:mrmime | AI (dependencies): mrmime is a well-known lukeed package, a long-standing dependency of sirv with no security concerns. | ai | |
| dependencies | unvetted-dep:totalist | AI (dependencies): totalist is a well-known lukeed package, a long-standing dependency of sirv with no security concerns. | ai | |
| dependencies | unvetted-dep:@polka/url | AI (dependencies): @polka/url is a well-known lukeed package, a long-standing dependency of sirv with no security concerns. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): sirv is a long-established, high-download package by a trusted publisher; 0.0.0 is a historical placeholder slot, not a malicious throwaway. | ai | |
| bogus-package | bogus-package | AI (bogus-package): The 0.0.0 stub predates the real package content; sirv has 25.1M weekly downloads and 50 versions — clearly not a spam/bogus package. | ai | |
| provenance | no-provenance | AI (provenance): lukeed's packages consistently lack Sigstore provenance; this is a known gap for this publisher and not a risk indicator for this package. | ai |
Versions (showing 41 of 41)
| Version | Deps | Published |
|---|---|---|
| 3.0.2 | 3 / 0 | |
| 3.0.1 | 3 / 0 | |
| 3.0.0 | 3 / 0 | |
| 2.0.4 | 3 / 0 | |
| 2.0.3 | 3 / 0 | |
| 2.0.2 | 3 / 0 | |
| 2.0.0 | 3 / 0 | |
| 1.0.19 | 3 / 0 | |
| 1.0.18 | 3 / 0 | |
| 1.0.17 | 3 / 0 | |
| 1.0.16 | 3 / 0 | |
| 1.0.15 | 3 / 0 | |
| 1.0.14 | 3 / 0 | |
| 1.0.13 | 3 / 0 | |
| 1.0.12 | 3 / 0 | |
| 1.0.11 | 3 / 0 | |
| 1.0.10 | 3 / 0 | |
| 1.0.9 | 3 / 0 | |
| 1.0.7 | 3 / 0 | |
| 1.0.6 | 3 / 0 | |
| 1.0.5 | 3 / 0 | |
| 1.0.1 | 3 / 0 | |
| 1.0.0 | 3 / 0 | |
| 0.4.6 | 2 / 0 | |
| 0.4.2 | 2 / 0 | |
| 0.4.1 | 2 / 0 | |
| 0.4.0 | 2 / 0 | |
| 0.3.1 | 2 / 0 | |
| 0.3.0 | 2 / 0 | |
| 0.2.5 | 2 / 0 | |
| 0.2.4 | 3 / 0 | |
| 0.2.2 | 3 / 0 | |
| 0.2.1 | 3 / 0 | |
| 0.2.0 | 3 / 0 | |
| 0.1.5 | 3 / 0 | |
| 0.1.4 | 3 / 0 | |
| 0.1.3 | 3 / 0 | |
| 0.1.2 | 3 / 0 | |
| 0.1.1 | 3 / 0 | |
| 0.1.0 | 3 / 0 | |
| 0.0.0 | 0 / 0 |
v3.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.17
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lukeed.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.16
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lukeed.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.15
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lukeed.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.14
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lukeed.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.13
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lukeed.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.