yurnalist
Elegant console output, borrowed from Yarn
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:is-builtin-module | AI (phantom-deps): is-builtin-module is a legitimate runtime dependency; phantom-deps false positive. | ai | |
| phantom-deps | phantom-dep:detect-indent | AI (phantom-deps): detect-indent is a legitimate runtime dependency; phantom-deps false positive. | ai | |
| phantom-deps | phantom-dep:loud-rejection | AI (phantom-deps): loud-rejection is a legitimate runtime dependency; phantom-deps false positive. | ai | |
| phantom-deps | phantom-dep:debug | AI (phantom-deps): debug is a legitimate runtime dependency used indirectly; phantom-deps false positive. | ai | |
| phantom-deps | phantom-dep:leven | AI (phantom-deps): leven is a legitimate runtime dependency; phantom-deps false positive. | ai | |
| phantom-deps | phantom-dep:rimraf | AI (phantom-deps): rimraf is invoked in the clean script; phantom-deps false positive. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): semver is a legitimate runtime dependency; phantom-deps false positive. | ai | |
| phantom-deps | phantom-dep:invariant | AI (phantom-deps): invariant is a legitimate runtime dependency; phantom-deps false positive. | ai | |
| phantom-deps | phantom-dep:strip-bom | AI (phantom-deps): strip-bom is a legitimate runtime dependency; phantom-deps false positive. | ai | |
| phantom-deps | phantom-dep:cli-table3 | AI (phantom-deps): cli-table3 is a legitimate runtime dependency for console output; phantom-deps false positive. | ai | |
| phantom-deps | phantom-dep:deep-equal | AI (phantom-deps): deep-equal is a legitimate runtime dependency; phantom-deps false positive. | ai | |
| phantom-deps | phantom-dep:node-emoji | AI (phantom-deps): node-emoji is a legitimate runtime dependency for console output; phantom-deps false positive. | ai | |
| phantom-deps | phantom-dep:object-path | AI (phantom-deps): object-path is a legitimate runtime dependency; phantom-deps false positive. | ai | |
| provenance | missing-githead | AI (provenance): Long-standing maintainer published without gitHead; common when publish environment changes. No security concern for this package. | ai | |
| provenance | no-provenance | AI (provenance): Established package from original author; lack of Sigstore provenance is common and not a security concern for this package. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 2.1.0 | 5 / 36 | |
| 2.0.0 | 19 / 32 | |
| 1.1.2 | 19 / 32 | |
| 1.1.1 | 19 / 32 | |
| 1.0.5 | 19 / 32 | |
| 1.0.4 | 18 / 32 | |
| 1.0.3 | 18 / 32 | |
| 1.0.2 | 18 / 32 | |
| 0.2.1 | 16 / 23 | |
| 0.1.10 | 18 / 24 | |
| 0.1.9 | 19 / 24 | |
| 0.1.8 | 19 / 24 | |
| 0.1.6 | 18 / 24 | |
| 0.1.5 | 17 / 24 | |
| 0.1.4 | 17 / 24 | |
| 0.1.3 | 17 / 24 | |
| 0.1.2 | 17 / 24 | |
| 0.1.1 | 17 / 24 | |
| 0.1.0 | 17 / 24 |
v2.1.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: thijskoerselman.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: thijskoerselman.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: thijskoerselman.
v1.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.5
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: thijskoerselman.
v1.0.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: thijskoerselman.
v1.0.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: thijskoerselman.
v1.0.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: thijskoerselman.