uuid — Greenflagged

RFC9562 UUIDs

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

broofactavan

Keywords

uuidguidrfc4122rfc9562

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/esm-browser/sha1.js	AI (source-diff): Readable SHA-1 implementation for uuid v5; long lines from unrolled hash rounds, not obfuscation. Stable for this package.	ai	2026/04/21
source-diff	obfuscated-file:dist/esm-browser/md5.js	AI (source-diff): Readable MD5 implementation for uuid v3; long lines from unrolled hash rounds, not obfuscation. Stable for this package.	ai	2026/04/21
install-scripts	install-script:preinstall	AI (install-scripts): Preinstall script is the documented build flow for native libuuid bindings; stable for this package.	ai	2026/04/21
source-diff	obfuscated-file:dist/esm/test/test_constants.js	AI (source-diff): Same test constants file in ESM dist format; readable UUID test vectors, not obfuscated.	ai	2026/04/21
source-diff	obfuscated-file:dist/esm-browser/test/test_constants.js	AI (source-diff): Test constants file containing UUID test vectors with long lines; clearly readable, not obfuscated. Standard for uuid's dist output.	ai	2026/04/21
source-diff	obfuscated-file:dist/cjs-browser/sha1.js	AI (source-diff): Readable TypeScript-compiled SHA1 implementation in CJS browser dist; long lines from algorithm constants, not obfuscation.	ai	2026/04/21
source-diff	obfuscated-file:dist/esm-browser/test/parse.test.js	AI (source-diff): ESM browser dist test file; readable code, long lines from test data, not obfuscation.	ai	2026/04/21
source-diff	obfuscated-file:dist/esm/test/parse.test.js	AI (source-diff): ESM dist test file; readable code, long lines from test data, not obfuscation.	ai	2026/04/21
source-diff	obfuscated-file:dist/cjs-browser/test/test_constants.js	AI (source-diff): Test constants file with long lines of UUID test vectors; clearly readable, not obfuscated.	ai	2026/04/21
source-diff	obfuscated-file:dist/cjs/test/test_constants.js	AI (source-diff): Test constants file with long lines of UUID test vectors; clearly readable, not obfuscated.	ai	2026/04/21
source-diff	source-size-tripled	AI (source-diff): Size increase from shipping 4 dist variants (cjs/esm × node/browser) plus tests; expected for multi-target build.	ai	2026/04/21
source-diff	obfuscated-file:dist/cjs-browser/md5.js	AI (source-diff): Readable TypeScript-compiled MD5 implementation in CJS browser dist; long lines from algorithm constants, not obfuscation.	ai	2026/04/21
source-diff	obfuscated-file:dist/cjs-browser/test/parse.test.js	AI (source-diff): Compiled test file with standard assert/node:test calls; long lines from test data arrays, not obfuscation.	ai	2026/04/21
source-diff	obfuscated-file:dist/cjs/test/parse.test.js	AI (source-diff): Compiled test file with standard assert/node:test calls; long lines from test data arrays, not obfuscation.	ai	2026/04/21
provenance	no-provenance	AI (provenance): uuid is a 5500-day-old package with 241M weekly downloads published well before Sigstore provenance was available on npm. Absence is expected and not a risk signal.	ai	2026/04/21
semgrep	semgrep:child-process-import	AI (semgrep): child_process usage is confined to misc/compare.js, a private benchmark script comparing UUID libraries. Not runtime code; no install script invokes it. Safe for this package.	ai	2026/04/21
source-diff	large-new-source-files	AI (source-diff): Major version jump (v9→v13) with TypeScript migration naturally produces many new compiled output files.	ai	2026/04/21
provenance	publisher-changed	AI (provenance): broofa is a co-author of uuid (listed in funding); rotation from ctavan to broofa is between known maintainers.	ai	2026/04/21
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of inactive maintainers (vvo, defunctzombie) during major version bump is routine cleanup.	ai	2026/04/21

Versions (showing 42 of 42)

Version	Deps	Published
14.0.0	0 / 15	2026-04-19
13.0.2	0 / 21	2026-05-04
13.0.1	0 / 21	2026-04-29
13.0.0	0 / 21	2025-09-08
12.0.0	0 / 21	2025-09-05
11.1.0	0 / 22	2025-02-19
11.0.5	0 / 22	2025-01-09
11.0.4	0 / 22	2025-01-05
11.0.3	0 / 22	2024-11-10
11.0.2	0 / 22	2024-10-28
11.0.1	0 / 22	2024-10-27
11.0.0	0 / 22	2024-10-27
10.0.0	0 / 27	2024-06-09
9.0.1	0 / 23	2023-09-12
9.0.0	0 / 23	2022-09-05
8.3.2	0 / 27	2020-12-08
8.3.1	0 / 27	2020-10-04
8.3.0	0 / 33	2020-07-27
8.2.0	0 / 32	2020-06-23
8.1.0	0 / 32	2020-05-20
8.0.0	0 / 27	2020-04-29
7.0.3	0 / 28	2020-03-31
7.0.2	0 / 25	2020-03-04
7.0.1	0 / 25	2020-02-25
7.0.0	0 / 24	2020-02-24
3.4.0	0 / 7	2020-01-16
3.3.3	0 / 7	2019-08-19
3.3.2	0 / 7	2018-06-28
3.3.0	0 / 7	2018-06-26
3.2.1	0 / 4	2018-01-16
3.2.0	0 / 4	2018-01-16
3.1.0	0 / 1	2017-06-16
3.0.1	0 / 1	2016-11-29
3.0.0	0 / 1	2016-11-18
2.0.3	0 / 1	2016-09-18
2.0.2	0 / 1	2016-04-13
2.0.1	0 / 1	2014-09-29
2.0.0	0 / 1	2014-09-29
1.4.2	0 / 1	2014-09-25
1.4.1	0 / 1	2013-03-14
1.4.0	0 / 0	2013-02-19
0.0.2	0 / 0	2011-03-31

v13.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.0.1

2 findings

HIGH Provenance attestation missing — previous versions had it provenance

This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.

INFO Publisher changed: GitHub Actions → broofa (on 2026-04-29, known maintainer) provenance

This version was published by a different npm account (broofa) than the most recent previously approved version (GitHub Actions) on 2026-04-29, but broofa is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v8.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.0

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: defunctzombie → broofa (on 2017-06-16) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2017-06-16. This could indicate a legitimate maintainer transition or an account compromise.