workbox-cache-expiration
A service worker helper library that expires cached responses based on age or maximum number of entries.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:build/importScripts/workbox-cache-expiration.dev.v2.0.2-rc1-2.0.2-rc1.0.js | AI (source-diff): workbox-cache-expiration ships minified build bundles as its primary distribution artifact; minification is expected and consistent across all versions of this package. | ai | |
| source-diff | obfuscated-file:build/modules/workbox-cache-expiration.prod.v2.0.2-rc1-2.0.2-rc1.0.mjs | AI (source-diff): workbox-cache-expiration ships minified build bundles as its primary distribution artifact; minification is expected and consistent across all versions of this package. | ai | |
| source-diff | obfuscated-file:build/modules/workbox-cache-expiration.dev.v2.0.2-rc1-2.0.2-rc1.0.mjs | AI (source-diff): workbox-cache-expiration ships minified build bundles as its primary distribution artifact; minification is expected and consistent across all versions of this package. | ai | |
| source-diff | obfuscated-file:build/importScripts/workbox-cache-expiration.prod.v2.0.2-rc1-2.0.2-rc1.0.js | AI (source-diff): workbox-cache-expiration ships minified build bundles as its primary distribution artifact; minification is expected and consistent across all versions of this package. | ai | |
| source-diff | obfuscated-file:build/modules/workbox-cache-expiration.prod.v2.0.3.mjs | AI (source-diff): Standard minified ESM build artifact from Google's Workbox toolkit. Apache-licensed, no malicious content. Minification is expected for this distribution format. | ai | |
| source-diff | obfuscated-file:build/importScripts/workbox-cache-expiration.dev.v2.0.3.js | AI (source-diff): Standard minified build artifact from Google's Workbox toolkit. Apache-licensed, no malicious content. Minification is expected for this distribution format. | ai | |
| source-diff | obfuscated-file:build/importScripts/workbox-cache-expiration.prod.v2.0.3.js | AI (source-diff): Standard minified build artifact from Google's Workbox toolkit. Apache-licensed, no malicious content. Minification is expected for this distribution format. | ai | |
| source-diff | obfuscated-file:build/modules/workbox-cache-expiration.dev.v2.0.3.mjs | AI (source-diff): Standard minified ESM build artifact from Google's Workbox toolkit. Apache-licensed, no malicious content. Minification is expected for this distribution format. | ai | |
| source-diff | obfuscated-file:build/importScripts/workbox-cache-expiration.dev.v2.0.0.js | AI (source-diff): Standard minified build artifact for the Workbox service worker library; Apache-licensed Google code with no malicious patterns. Long lines are minification, not obfuscation. | ai | |
| source-diff | obfuscated-file:build/modules/workbox-cache-expiration.prod.v2.0.0.mjs | AI (source-diff): Standard minified production ES module build artifact; legitimate Google Workbox output with Apache-2.0 license header. | ai | |
| source-diff | obfuscated-file:build/modules/workbox-cache-expiration.dev.v2.0.0.mjs | AI (source-diff): Standard minified ES module build artifact for Workbox; no malicious content, just minified service worker cache logic. | ai | |
| source-diff | obfuscated-file:build/importScripts/workbox-cache-expiration.prod.v2.0.0.js | AI (source-diff): Standard minified production build artifact; same rationale as dev variant — legitimate Google Workbox output. | ai | |
| provenance | no-provenance | AI (provenance): Package was published in 2018 before Sigstore provenance was available. Not a meaningful risk signal for this package. | ai | |
| provenance | publisher-changed | AI (provenance): Both jeffposnick and gauntface are known Google engineers on the Workbox team. This is a legitimate intra-team maintainer transition, not a hostile takeover. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): philipwalton is a known Google engineer. Addition is consistent with the Workbox v3 team expansion. | ai | |
| source-diff | obfuscated-file:build/workbox-cache-expiration.prod.js | AI (source-diff): This is a standard minified production build artifact for a Google Workbox browser package. The code implements cache expiration logic as expected. Minified builds are normal for this package type. | ai |
Versions (showing 22 of 22)
| Version | Deps | Published |
|---|---|---|
| 3.6.3 | 1 / 0 | |
| 3.6.2 | 1 / 0 | |
| 3.6.1 | 1 / 0 | |
| 3.6.0 | 1 / 0 | |
| 3.5.0 | 1 / 0 | |
| 3.4.1 | 1 / 0 | |
| 3.3.1 | 1 / 0 | |
| 3.3.0 | 1 / 0 | |
| 3.2.0 | 1 / 0 | |
| 3.1.0 | 1 / 0 | |
| 3.0.1 | 1 / 0 | |
| 3.0.0 | 1 / 0 | |
| 2.0.3 | 0 / 1 | |
| 2.0.2 | 0 / 1 | |
| 2.0.0 | 0 / 1 | |
| 1.3.0 | 0 / 1 | |
| 1.2.0 | 0 / 1 | |
| 1.1.0 | 0 / 1 | |
| 1.0.0 | 0 / 1 | |
| 0.0.3 | 0 / 1 | |
| 0.0.2 | 0 / 1 | |
| 0.0.1 | 0 / 1 |
v3.6.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.2
2 findingsThis version was published by a different npm account than previous versions on 2018-09-28. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.1
2 findingsThis version was published by a different npm account than previous versions on 2018-09-19. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.0
2 findingsThis version was published by a different npm account than previous versions on 2018-09-19. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
2 findingsThis version was published by a different npm account than previous versions on 2018-04-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
3 findingsThis version was published by a different npm account than previous versions on 2018-03-13. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.3
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-08-24. This could indicate a legitimate maintainer transition or an account compromise.