tinyspy
A minimal fork of nanospy, with more features
23
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
antfuaslemammadoreanno
Keywords
spymocktypescriptmethod
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Legitimate maintainer transition within tinylibs org; oreanno is established publisher. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): antfu is a well-known OSS maintainer and tinylibs collaborator. | ai | |
| provenance | missing-githead | AI (provenance): Package uses clean-publish for publishing, which strips gitHead and other dev metadata by design. This is a documented, legitimate workflow change for this package. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): tinyspy is a legitimate, established package (1590 days old, 50 versions) by a trusted publisher. The 0.0.0 version is simply the initial release, not a malicious throwaway. | ai | |
| bogus-package | bogus-package | AI (bogus-package): tinyspy is a small focused spy/mock utility; short README and no runtime deps are expected characteristics, not spam indicators. | ai |
Versions (showing 23 of 23)
| Version | Deps | Published |
|---|---|---|
| 4.0.4 | 0 / 0 | |
| 4.0.3 | 0 / 0 | |
| 4.0.2 | 0 / 0 | |
| 4.0.1 | 0 / 0 | |
| 4.0.0 | 0 / 0 | |
| 3.0.2 | 0 / 0 | |
| 3.0.1 | 0 / 0 | |
| 3.0.0 | 0 / 0 | |
| 1.1.0 | 0 / 0 | |
| 0.2.6 | 0 / 0 | |
| 0.0.13 | 0 / 0 | |
| 0.0.12 | 0 / 0 | |
| 0.0.11 | 0 / 12 | |
| 0.0.10 | 0 / 12 | |
| 0.0.9 | 0 / 12 | |
| 0.0.8 | 0 / 12 | |
| 0.0.7 | 0 / 12 | |
| 0.0.6 | 0 / 11 | |
| 0.0.5 | 0 / 11 | |
| 0.0.3 | 0 / 11 | |
| 0.0.2 | 0 / 11 | |
| 0.0.1 | 0 / 10 | |
| 0.0.0 | 0 / 10 |
v1.1.0
2 findings
HIGH
Publisher changed: aslemammad → oreanno (on 2023-02-07)
provenance
This version was published by a different npm account than previous versions on 2023-02-07. This could indicate a legitimate maintainer transition or an account compromise.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.