uint8arrays
Utility functions to make dealing with Uint8Arrays easier
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Trusted publisher (achingbrain, 441/0 record) with a major version bump restructuring the build pipeline; missing gitHead is consistent with a changed CI/build environment, not a supply chain compromise. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are explained by dual ESM/CJS build output with 7 granular entry points (3 variants each) plus type definitions — a structural refactor, not injected code. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): multiformats is a legitimate IPFS ecosystem package; achingbrain is a core contributor. This dependency addition is contextually appropriate for a Uint8Array utility library. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): 0.0.0 is a placeholder reservation by trusted publisher achingbrain with 44 versions and 18 approved-dep edges; not indicative of malice. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Sparse metadata is consistent with an initial placeholder version by a well-established, trusted publisher with a long track record and ecosystem adoption. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Missing description in placeholder 0.0.0 version; subsequent versions have proper metadata. Not a malice indicator for this package. | ai | |
| provenance | publisher-changed | AI (provenance): Package migrated to GitHub Actions CI/CD publishing with SLSA provenance attestation; publisher change from achingbrain to GitHub Actions is expected and verified. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Long dormancy explained by major version restructuring; SLSA attestation confirms legitimate publish from the original maintainer's repo. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance; no provenance is expected for this era of the package's history. | ai |
Versions (showing 45 of 45)
| Version | Deps | Published |
|---|---|---|
| 6.1.1 | 1 / 3 | |
| 6.1.0 | 1 / 3 | |
| 6.0.0 | 1 / 3 | |
| 5.1.1 | 1 / 3 | |
| 5.1.0 | 1 / 3 | |
| 5.0.3 | 1 / 3 | |
| 5.0.2 | 1 / 3 | |
| 5.0.1 | 1 / 3 | |
| 5.0.0 | 1 / 3 | |
| 4.0.10 | 1 / 3 | |
| 4.0.9 | 1 / 3 | |
| 4.0.8 | 1 / 3 | |
| 4.0.7 | 1 / 3 | |
| 4.0.6 | 1 / 3 | |
| 4.0.5 | 1 / 3 | |
| 4.0.4 | 1 / 3 | |
| 4.0.3 | 1 / 3 | |
| 4.0.2 | 1 / 3 | |
| 4.0.1 | 1 / 3 | |
| 4.0.0 | 1 / 3 | |
| 3.1.1 | 1 / 4 | |
| 3.1.0 | 1 / 4 | |
| 3.0.0 | 1 / 2 | |
| 2.1.10 | 1 / 2 | |
| 2.1.9 | 1 / 2 | |
| 2.1.8 | 1 / 2 | |
| 2.1.7 | 1 / 2 | |
| 2.1.6 | 1 / 2 | |
| 2.1.5 | 1 / 1 | |
| 2.1.4 | 1 / 1 | |
| 2.1.3 | 2 / 1 | |
| 2.1.2 | 2 / 1 | |
| 2.1.1 | 2 / 1 | |
| 2.1.0 | 2 / 1 | |
| 2.0.5 | 2 / 1 | |
| 2.0.4 | 2 / 1 | |
| 2.0.3 | 2 / 1 | |
| 2.0.2 | 2 / 1 | |
| 2.0.1 | 2 / 1 | |
| 2.0.0 | 2 / 1 | |
| 1.1.0 | 2 / 1 | |
| 1.0.0 | 2 / 1 | |
| 0.0.2 | 2 / 1 | |
| 0.0.1 | 2 / 1 | |
| 0.0.0 | 0 / 0 |
v6.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: achingbrain.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.9
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: achingbrain.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.