whelk — Greenflagged

Run a JavaScript function as a shell script.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

mikermcneileashaw

Keywords

machinescriptsailscli

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Legitimate maintainer transition within sailshq org from mikermcneil to eashaw, a trusted publisher with 856 approved packages.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): eashaw is a known Sails.js ecosystem maintainer with extensive track record; legitimate org handoff.	ai	2026/04/24
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy explained by org-level maintenance transition; no code changes in this publish.	ai	2026/04/24
typosquat	typosquat.levenshtein:chalk	AI (typosquat): whelk is a legitimate, 8+ year old package in the Sails.js ecosystem. It actually depends on chalk. The Levenshtein match is purely mechanical with no typosquat intent.	ai	2026/04/24

Versions (showing 9 of 9)

Version	Deps	Published
6.0.2	7 / 3	2024-03-15
6.0.1	7 / 3	2018-05-28
6.0.0	7 / 3	2017-11-21
5.2.0	7 / 3	2017-11-05
5.1.0	7 / 3	2017-11-05
5.0.3	7 / 3	2017-11-04
5.0.2	7 / 3	2017-11-04
5.0.1	7 / 3	2017-11-03
5.0.0	7 / 3	2017-10-26

v6.0.2

2 findings

HIGH Publisher changed: mikermcneil → eashaw (on 2024-03-15) provenance

This version was published by a different npm account than previous versions on 2024-03-15. This could indicate a legitimate maintainer transition or an account compromise.