use
Easily add plugin support to your node.js application.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:eval-usage | AI (semgrep): eval() usage is confined to test.js and evaluates the output of the package's own require() wrapper with known string inputs — not a supply-chain risk for this package. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): 'use' is a legitimate, well-established package by jonschlinkert with no intent to impersonate 'qs'; the Levenshtein proximity is coincidental. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 3.1.1 | 0 / 9 | |
| 3.1.0 | 1 / 9 | |
| 3.0.0 | 2 / 8 | |
| 2.0.2 | 3 / 8 | |
| 2.0.1 | 4 / 8 | |
| 2.0.0 | 4 / 8 | |
| 1.1.2 | 2 / 6 | |
| 1.1.1 | 2 / 6 | |
| 1.1.0 | 2 / 7 | |
| 1.0.3 | 0 / 0 | |
| 1.0.2 | 0 / 0 | |
| 1.0.1 | 0 / 0 | |
| 1.0.0 | 0 / 0 |
v3.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.