← Home

telejson

npm Repository Homepage

A library for teleporting rich data to another place.

44
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ndelangenghengeveldshilmanyannbfstephanemw

Keywords

JSONcycliccyclicaldateparseregexstringify

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): yannbf is a Storybook core team member; transition from ndelangen to yannbf is a legitimate org-internal maintainer change within storybookjs. ai
maintainer-change maintainer-added AI (maintainer-change): yannbf has a strong track record (13k+ approved, 0 rejected) and is a known Storybook contributor; addition is a legitimate org-internal change. ai
source-diff net-exec-file:dist/index.js AI (source-diff): Standard tsup/esbuild bundle output; the 'network + code execution' pattern is bundler boilerplate inlining known utility libs, not malicious dropper behavior. Stable for this package. ai
source-diff net-exec-file:dist/index.mjs AI (source-diff): Same tsup/esbuild bundle output as dist/index.js (ESM variant). False positive for this package's build system. ai
source-diff source-size-tripled AI (source-diff): Size increase is explained by bundling previously-external runtime deps (lodash, memoizerific, etc.) directly into the tsup output. Legitimate refactor, not injected payload. ai

Versions (showing 44 of 44)

Version Deps Published
8.0.0 0 / 16
7.2.0 1 / 22
7.1.0 1 / 20
7.0.4 1 / 20
7.0.3 1 / 20
7.0.2 1 / 20
7.0.1 0 / 21
7.0.0 0 / 21
6.0.8 8 / 15
6.0.7 8 / 15
6.0.6 7 / 18
6.0.5 7 / 18
6.0.4 9 / 15
6.0.3 8 / 16
6.0.2 8 / 16
6.0.1 8 / 15
6.0.0 8 / 15
5.3.3 8 / 15
5.3.2 8 / 15
5.3.1 8 / 15
5.3.0 8 / 15
5.2.0 8 / 15
5.1.1 8 / 15
5.1.0 8 / 15
5.0.2 8 / 15
5.0.1 8 / 15
5.0.0 8 / 15
4.0.1 8 / 15
4.0.0 8 / 15
3.3.0 8 / 15
3.2.0 8 / 15
3.1.0 8 / 15
3.0.3 8 / 15
3.0.2 8 / 15
3.0.1 8 / 15
3.0.0 8 / 15
2.2.2 7 / 7
2.2.1 7 / 7
2.2.0 7 / 7
2.1.1 8 / 7
2.1.0 8 / 7
2.0.0 7 / 7
1.0.1 7 / 7
1.0.0 8 / 6

v8.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.2.0

2 findings
HIGH Publisher changed: ndelangen → yannbf (on 2023-08-21) provenance

This version was published by a different npm account than previous versions on 2023-08-21. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.0.4

3 findings
HIGH New file with network + code execution: dist/index.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/index.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.0.3

3 findings
HIGH New file with network + code execution: dist/index.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/index.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.0.2

3 findings
HIGH New file with network + code execution: dist/index.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/index.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.0.1

3 findings
HIGH New file with network + code execution: dist/index.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/index.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.0.0

3 findings
HIGH New file with network + code execution: dist/index.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/index.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.