union-value
Set an array of unique values as the property of an object. Supports setting deeply nested properties using using object-paths/dot notation.
11
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
doowbjonschlinkert
Keywords
arraydotgethasnestednotationobjectpathproppropertysetunionvalue
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:cast-to-array | AI (dependencies): cast-to-array is a jonschlinkert utility package consistent with this author's ecosystem; no malicious signals and fits the package's purpose. | ai | |
| dependencies | unvetted-dep:arr-union | AI (dependencies): arr-union is a well-known, stable utility from the same ecosystem; its use here is expected and benign for this package. | ai | |
| dependencies | unvetted-dep:set-value | AI (dependencies): set-value is a well-known utility from the same jonschlinkert ecosystem; flagging is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:arr-union | AI (phantom-deps): arr-union is a legitimate declared dependency used by this package; phantom-dep finding reflects config/indirect usage, not a security concern for this utility package. | ai | |
| phantom-deps | phantom-dep:is-extendable | AI (phantom-deps): is-extendable is a legitimate declared dependency; phantom-dep finding reflects indirect/config usage, not a security concern for this utility package. | ai | |
| provenance | no-provenance | AI (provenance): Established package from known publisher; lack of provenance is common and not a security concern for this package. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 2.0.1 | 2 / 2 | |
| 2.0.0 | 4 / 3 | |
| 1.0.1 | 4 / 3 | |
| 1.0.0 | 4 / 3 | |
| 0.2.4 | 4 / 3 | |
| 0.2.3 | 4 / 2 | |
| 0.2.2 | 4 / 2 | |
| 0.2.1 | 5 / 2 | |
| 0.2.0 | 6 / 2 | |
| 0.1.1 | 4 / 2 | |
| 0.1.0 | 4 / 2 |
v2.0.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.