staged-git-files BSD-2-Clause 10 versions

staged-git-files

npm Repository Homepage

get a list of staged git files and their status

10

Versions

BSD-2-Clause

License

No

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

mcwhittemore

Keywords

gitpre-commitpost-commithooks

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:child-process-import	AI (semgrep): staged-git-files uses child_process to invoke git commands — this is the core mechanism of the package and is expected across all versions.	ai	2026/04/24
phantom-deps	phantom-dep:node-hooks	AI (phantom-deps): node-hooks is a devDependency used for testing/hooks tooling; not a runtime import and not a risk.	ai	2026/04/24
phantom-deps	phantom-dep:esprima.hks	AI (phantom-deps): esprima.hks is a devDependency used for testing tooling; not a runtime import and not a risk.	ai	2026/04/24
phantom-deps	phantom-dep:beautify.hks	AI (phantom-deps): beautify.hks is a devDependency used for testing tooling; not a runtime import and not a risk.	ai	2026/04/24

Versions (showing 10 of 10)

Version	Deps	Published
1.3.0	0 / 2	2022-02-03
1.2.0	0 / 2	2019-05-07
1.1.2	0 / 2	2018-10-29
1.1.1	0 / 2	2018-03-30
1.1.0	0 / 2	2018-02-20
1.0.0	0 / 2	2018-02-15
0.0.4	0 / 2	2015-01-18
0.0.3	3 / 4	2014-11-16
0.0.2	0 / 5	2013-10-18
0.0.1	3 / 4	2013-10-17

v1.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.