somever
Semantic versioning rules parser
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher change from hueniverse to nargonath reflects the documented hapi.js project maintainer transition. nargonath is a well-known hapi.js contributor with a strong track record. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers (nargonath, devinivy, marsup, nlf) are all recognized hapi.js ecosystem contributors; this is a legitimate project handoff. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy followed by publish aligns with the hapi.js project's maintainer transition timeline; no malicious indicators present. | ai |
v2.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
2 findingsThis version was published by a different npm account than previous versions on 2024-01-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.