which-pm-runs
Detects what package manager executes the process
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Trusted long-standing publisher zkochan; missing gitHead reflects a publish environment change, not a security concern for this package. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance; absence of attestation is expected for this older package from a trusted publisher. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Long dormancy followed by a clean ESM modernization update from the original publisher with no new deps or install scripts. Consistent with legitimate maintenance, not account takeover. | ai |
v2.0.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zkochan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zkochan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.