@abtnode/util — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

wangshijunpolunzhmave99a

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	dormant-publish	AI (publish-pattern): Large org monorepo with 1166 versions; irregular publish cadence is expected, not indicative of takeover.	ai	2026/05/14
dependencies	unvetted-dep:private-ip	AI (dependencies): private-ip is used alongside public-ip/internal-ip/is-ip for network classification; clearly intentional in this utility package.	ai	2026/05/08
semgrep	semgrep:child-process-import	AI (semgrep): Used for pm2 orphan-process management; expected in a node process manager utility.	ai	2026/05/05
semgrep	semgrep:base64-decode	AI (semgrep): Base64 used for encryption key encoding/decoding; no payload obfuscation.	ai	2026/05/05
phantom-deps	phantom-dep:hpagent	AI (phantom-deps): Declared in package.json as runtime dep; phantom-dep heuristic false positive.	ai	2026/05/05
typosquat	typosquat.levenshtein:uuid	AI (typosquat): Scoped @abtnode/ package; levenshtein match to uuid is a false positive for this namespace.	ai	2026/05/05
phantom-deps	phantom-dep:p-wait-for	AI (phantom-deps): Declared in package.json as runtime dep; phantom-dep heuristic false positive.	ai	2026/05/05
phantom-deps	phantom-dep:axios-mock-adapter	AI (phantom-deps): Declared in package.json; used in tests per config files.	ai	2026/05/05
phantom-deps	phantom-dep:fast-glob	AI (phantom-deps): Declared in package.json as runtime dep; phantom-dep heuristic false positive.	ai	2026/05/05
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): 169.254.169.254 is the standard GCP instance metadata endpoint; not malicious.	ai	2026/05/05