which
Like which(1) unix command. Find the first instance of an executable in the PATH.
37
Versions
ISC
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
saquibkhannpm-cli-opsreggiowlstronaut
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): which is a canonical, minimal Unix utility with 241M+ weekly downloads. No deps, tiny payload, and sparse README are expected characteristics of this well-established single-purpose package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): isaacs transferred which to the npm org; removal of original maintainer is expected in this context. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): Legitimate transfer from isaacs to npm CLI team (gar, npm-cli-ops, reggi, etc.) under github.com/npm org. Well-documented organizational handoff. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): isexe and is-absolute are functionally appropriate dependencies for a `which`-style utility; added by the original trusted author isaacs. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate transition from isaacs to npm CLI team (GitHub Inc.). lukekarrys is a known npm CLI team member; package now lives under github.com/npm org. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers (fritzy, darcyclarke, nlf, gar, lukekarrys) are all known npm CLI team members. Organizational transfer, not compromise. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance by years; 241.8M weekly downloads and trusted publisher make this a stable false-positive signal for this package. | ai | |
| dependencies | unvetted-dep:is-absolute | AI (dependencies): is-absolute is a legitimate utility package appropriate for a which-command implementation; not a security concern for this package. | ai |
Versions (showing 37 of 37)
| Version | Deps | Published |
|---|---|---|
| 7.0.0 | 1 / 3 | |
| 6.0.1 | 1 / 3 | |
| 6.0.0 | 1 / 3 | |
| 5.0.0 | 1 / 3 | |
| 4.0.0 | 1 / 3 | |
| 3.0.1 | 1 / 3 | |
| 3.0.0 | 1 / 3 | |
| 2.0.2 | 1 / 3 | |
| 2.0.1 | 1 / 3 | |
| 2.0.0 | 1 / 3 | |
| 1.3.1 | 1 / 3 | |
| 1.3.0 | 1 / 3 | |
| 1.2.14 | 1 / 3 | |
| 1.2.13 | 1 / 3 | |
| 1.2.12 | 1 / 3 | |
| 1.2.11 | 1 / 3 | |
| 1.2.10 | 1 / 3 | |
| 1.2.9 | 1 / 3 | |
| 1.2.8 | 2 / 3 | |
| 1.2.7 | 2 / 3 | |
| 1.2.6 | 2 / 3 | |
| 1.2.5 | 2 / 3 | |
| 1.2.4 | 2 / 3 | |
| 1.2.1 | 1 / 3 | |
| 1.2.0 | 1 / 3 | |
| 1.1.2 | 1 / 3 | |
| 1.1.1 | 1 / 3 | |
| 1.1.0 | 1 / 3 | |
| 1.0.9 | 0 / 0 | |
| 1.0.8 | 0 / 0 | |
| 1.0.7 | 0 / 0 | |
| 1.0.6 | 0 / 0 | |
| 1.0.5 | 0 / 0 | |
| 1.0.3 | 0 / 0 | |
| 1.0.2 | 0 / 0 | |
| 1.0.1 | 0 / 0 | |
| 1.0.0 | 0 / 0 |
v7.0.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.