typhonjs-ast-walker
Provides a simple Javascript AST traversal utility that traverses all nodes / children regardless of type.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-takeover | AI (maintainer-change): typhonrt is Mike Leahy — same person as previous maintainer, consistent across package name, GitHub org, author email, and maintainer URL. Self-transfer, not a hostile takeover. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): typhonrt is the package's own author/org; addition reflects account consolidation, not a third-party takeover. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Mike Leahy and typhonrt are the same person; removal of the old account name is benign. | ai |
v0.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
2 findingsAll previous maintainers (mike leahy) were replaced by new maintainers (typhonrt). This is a strong signal of a potential package hijack and requires careful review.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.