← Home

tuf-js

npm Repository Homepage

JavaScript implementation of The Update Framework (TUF)

2
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

bdehamereugenethehub

Keywords

tufsecurityupdate

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
bogus-package bogus-package AI (bogus-package): tuf-js is the official TUF JavaScript client from theupdateframework org. Inflated semver reflects project maturity on first standalone npm publish; short README is cosmetic. SLSA provenance confirms legitimacy. ai
dependencies unvetted-dep:@tufjs/models AI (dependencies): @tufjs/models is a sibling package from the same official theupdateframework monorepo; expected dependency for this package. ai

Versions (showing 2 of 2)

Version Deps Published
5.0.1 3 / 3
4.1.0 3 / 3

v4.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.