sji
1
Versions
—
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Alon
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| typosquat | typosquat.levenshtein:joi | AI (typosquat): 'sji' is an acronym for 'Simple JavaScript Inheritance' — a 14-year-old package by John Resig. The edit distance match to 'joi' is coincidental, not a typosquat. | ai | |
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): 'sji' is an acronym for 'Simple JavaScript Inheritance' — a 14-year-old package by John Resig. The edit distance match to 'ajv' is coincidental, not a typosquat. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Very old (5160 days) minimal utility package from early Node.js era; missing metadata is a historical norm, not a spam indicator. Has an inbound approved-dep edge. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 0.0.1 | 0 / 0 |
v0.0.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.