verb — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jonschlinkertdoowbadjohnson916

Keywords

commentcommentsdocdocsdocumentdocumentationgenerategeneratorghgh-pagesmarkdownmdpagesreadmereporepositorytemplatetemplatesverbverbiage

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:nomnom	AI (phantom-deps): nomnom is a legitimate CLI argument parsing library; appropriate dependency for a CLI doc generator. Phantom detection likely due to indirect/lazy loading in bin scripts.	ai	2026/04/24
phantom-deps	phantom-dep:liftoff	AI (phantom-deps): liftoff is a standard CLI app launcher library; appropriate for verb's CLI tooling. Phantom detection likely due to indirect loading patterns.	ai	2026/04/24
phantom-deps	phantom-dep:inquirer	AI (phantom-deps): inquirer is a well-known interactive CLI prompts library; appropriate for a CLI documentation generator. Phantom detection likely due to conditional/indirect usage.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): Publisher change jonschlinkert→doowb occurred in 2014; both are established assemble-ecosystem maintainers. Historical legitimate transition, not a compromise signal.	ai	2026/04/24
dependencies	unvetted-dep:v8flags	AI (dependencies): v8flags is a standard companion to liftoff-based CLI tools (used by gulp, etc.) for passing V8 flags; legitimate and well-known in the ecosystem.	ai	2026/04/24
phantom-deps	phantom-dep:prompt	AI (phantom-deps): prompt is a declared dependency used via config/CLI flow in this documentation generator; phantom detection reflects indirect usage pattern, not a real risk.	ai	2026/04/24
phantom-deps	phantom-dep:chai	AI (phantom-deps): chai appears in both dependencies and devDependencies; phantom detection is a false positive due to duplicate declaration across dep categories in this older package.	ai	2026/04/24
phantom-deps	phantom-dep:globule	AI (phantom-deps): globule is a declared dependency used indirectly via config in this documentation generator; not a security concern.	ai	2026/04/24
phantom-deps	phantom-dep:commander	AI (phantom-deps): commander is a declared dependency used for CLI in this documentation generator; phantom detection reflects indirect usage, not a real risk.	ai	2026/04/24
semgrep	semgrep:dynamic-require	AI (semgrep): The dynamic require loads path.resolve('package.json') as a fallback for env config — a benign, well-understood pattern in build/doc tools. Not arbitrary module loading.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance on npm by years; absence is expected and not a risk signal for this package.	ai	2026/04/24

Versions (showing 69 of 69)

Version	Deps	Published
0.8.10	67 / 9	2015-08-26
0.8.9	67 / 9	2015-08-26
0.8.8	67 / 10	2015-08-21
0.8.6	63 / 10	2015-05-28
0.8.5	64 / 10	2015-05-26
0.8.4	64 / 10	2015-05-26
0.8.3	64 / 10	2015-05-24
0.8.2	62 / 10	2015-05-14
0.8.1	62 / 10	2015-05-13
0.8.0	62 / 10	2015-05-12
0.7.4	48 / 10	2015-04-25
0.7.3	48 / 10	2015-04-25
0.7.2	48 / 10	2015-04-23
0.7.1	48 / 10	2015-04-23
0.7.0	47 / 10	2015-04-23
0.6.1	48 / 9	2015-02-27
0.5.0	39 / 8	2015-02-23
0.4.5	32 / 10	2015-02-19
0.4.4	31 / 10	2015-02-17
0.4.3	31 / 10	2015-02-17
0.4.2	31 / 10	2015-02-17
0.4.1	30 / 11	2015-02-17
0.4.0	30 / 11	2015-02-17
0.3.9	37 / 5	2014-12-14
0.3.8	39 / 5	2014-12-02
0.3.7	36 / 5	2014-11-26
0.3.6	37 / 5	2014-11-17
0.3.5	37 / 5	2014-11-14
0.3.4	40 / 5	2014-11-13
0.3.3	38 / 5	2014-11-12
0.3.2	36 / 6	2014-11-12
0.3.1	35 / 7	2014-11-11
0.3.0	32 / 7	2014-11-11
0.2.15	35 / 3	2014-08-02
0.2.14	35 / 3	2014-07-07
0.2.13	35 / 4	2014-06-01
0.2.12	35 / 4	2014-06-01
0.2.11	32 / 2	2014-05-27
0.2.10	31 / 2	2014-05-23
0.2.9	31 / 2	2014-05-23
0.2.8	31 / 2	2014-05-23
0.2.7	31 / 2	2014-05-11
0.2.6	31 / 2	2014-05-02
0.2.5	31 / 2	2014-04-30
0.2.3	31 / 2	2014-04-25
0.2.2	32 / 2	2014-04-21
0.2.1	33 / 2	2014-03-31
0.2.0	32 / 2	2014-03-30
0.1.28	31 / 2	2014-03-27
0.1.27	30 / 2	2014-03-27
0.1.26	30 / 2	2014-03-27
0.1.25	30 / 2	2014-03-27
0.1.24	30 / 2	2014-03-27
0.1.23	30 / 2	2014-03-26
0.1.22	28 / 2	2014-03-25
0.1.20	28 / 2	2014-03-23
0.1.18	28 / 2	2014-03-23
0.1.17	28 / 2	2014-03-23
0.1.16	27 / 2	2014-03-22
0.1.15	27 / 2	2014-03-22
0.1.14	27 / 2	2014-03-22
0.1.13	27 / 2	2014-03-22
0.1.12	27 / 2	2014-03-22
0.1.11	27 / 2	2014-03-22
0.1.10	27 / 2	2014-03-21
0.1.8	30 / 2	2014-03-21
0.1.4	30 / 2	2014-03-21
0.1.3	30 / 2	2014-03-21
0.1.2	30 / 2	2014-03-14

v0.8.10

2 findings

HIGH Publisher changed: jonschlinkert → doowb (on 2015-08-26) provenance

This version was published by a different npm account than previous versions on 2015-08-26. This could indicate a legitimate maintainer transition or an account compromise.