@accounts/server
Fullstack authentication and accounts-management
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Established package with 204 versions and trusted publisher; missing gitHead is consistent with a CI/tooling change, not a supply chain compromise signal for this package. | ai | |
| phantom-deps | phantom-dep:@types/jsonwebtoken | AI (phantom-deps): Framework-scoped types loaded by convention; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:@types/jsonwebtoken | AI (dependencies): TypeScript types for jsonwebtoken; standard dependency for auth libraries. | ai | |
| dependencies | unvetted-peer-dep:@accounts/common | AI (dependencies): Peer dependency on sibling @accounts/common is expected in this scoped package ecosystem. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Missing description is typical for alpha releases; not indicative of malice given publisher history. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): Legitimate organizational transition within js-accounts project; publisher davidyaha has strong track record and repo URL matches official GitHub org. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Signals reflect alpha-stage development (no repo/keywords/description); established publisher and ecosystem trust override spam indicators. | ai | |
| dependencies | unvetted-peer-dep:graphql-modules | AI (dependencies): graphql-modules is a standard GraphQL peer dependency for this authentication library; version constraint ^3.0.0 is reasonable. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase reflects Flow type definitions and email functionality; no bundled payloads detected. | ai | |
| phantom-deps | phantom-dep:apollo-errors | AI (phantom-deps): apollo-errors is declared as a dependency and referenced in config files; its non-direct import is a stable pattern for this package across versions. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 28 new files reflect normal package growth and refactoring; no bundled/injected code indicators. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): crypto and emailjs are legitimate additions for an auth library; no suspicious patterns. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher transition occurred in 2017 as part of legitimate package maintenance; not a recent compromise signal. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size drop reflects removal of Flow/UMD build scripts and transition to TypeScript; legitimate refactoring. | ai | |
| publish-pattern | suspicious-version-number | AI (publish-pattern): Pre-release alpha version with git commit hash is standard CI/CD pattern, not malicious. | ai | |
| typosquat | typosquat.levenshtein:semver | AI (typosquat): Scoped package @accounts/server is not a typosquat; false positive from edit-distance matching against unscoped semver utility. | ai | |
| dependencies | unvetted-dep:jsonwebtoken | AI (dependencies): jsonwebtoken is a standard, widely-used JWT library; appropriate for an auth package. | ai | |
| dependencies | unvetted-dep:babel-polyfill | AI (dependencies): babel-polyfill is a standard compatibility polyfill; appropriate for alpha release. | ai | |
| dependencies | unvetted-dep:crypto | AI (dependencies): crypto@^0.0.3 is a known polyfill package; unvetted status is expected and poses no security risk. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of 'accounts' maintainer paired with addition of 'js-accounts' reflects org consolidation, not takeover. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainers are known js-accounts contributors; legitimate project expansion, not account compromise. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore era (2017); lack of provenance is expected and not a security concern. | ai | |
| phantom-deps | phantom-dep:jwt-decode | AI (phantom-deps): jwt-decode is declared in dependencies and referenced in build config; phantom-dep pattern is stable for this package. | ai | |
| phantom-deps | phantom-dep:babel-polyfill | AI (phantom-deps): babel-polyfill is declared in dependencies and referenced in build config; phantom-dep pattern is stable for this package. | ai | |
| dependencies | unvetted-dep:@accounts/common | AI (dependencies): Internal monorepo dependency; same version constraint is expected and safe. | ai |
Versions (showing 56 of 56)
| Version | Deps | Published |
|---|---|---|
| 0.33.1 | 7 / 6 | |
| 0.33.0 | 7 / 6 | |
| 0.32.0 | 7 / 6 | |
| 0.31.1 | 7 / 4 | |
| 0.31.0 | 7 / 4 | |
| 0.30.0 | 7 / 5 | |
| 0.29.0 | 7 / 5 | |
| 0.28.0 | 7 / 5 | |
| 0.27.0 | 7 / 5 | |
| 0.26.0 | 7 / 5 | |
| 0.25.4 | 7 / 5 | |
| 0.25.3 | 7 / 5 | |
| 0.25.1 | 7 / 5 | |
| 0.25.0 | 7 / 5 | |
| 0.24.0 | 7 / 5 | |
| 0.23.0 | 7 / 5 | |
| 0.22.0 | 7 / 5 | |
| 0.21.1 | 7 / 5 | |
| 0.21.0 | 7 / 5 | |
| 0.20.1 | 7 / 5 | |
| 0.20.0 | 7 / 5 | |
| 0.19.0 | 7 / 5 | |
| 0.18.0 | 7 / 5 | |
| 0.17.0 | 7 / 5 | |
| 0.16.0 | 7 / 5 | |
| 0.15.0 | 7 / 5 | |
| 0.14.0 | 7 / 5 | |
| 0.13.0 | 7 / 5 | |
| 0.12.0 | 7 / 5 | |
| 0.11.2 | 7 / 5 | |
| 0.11.1 | 7 / 5 | |
| 0.10.0 | 6 / 5 | |
| 0.9.3 | 6 / 5 | |
| 0.9.2 | 6 / 5 | |
| 0.9.0 | 6 / 5 | |
| 0.7.0 | 6 / 5 | |
| 0.6.1 | 6 / 5 | |
| 0.6.0 | 6 / 5 | |
| 0.0.21 | 8 / 4 | |
| 0.0.20 | 8 / 4 | |
| 0.0.18 | 8 / 20 | |
| 0.0.17 | 8 / 20 | |
| 0.0.16 | 8 / 20 | |
| 0.0.15 | 8 / 19 | |
| 0.0.13 | 8 / 19 | |
| 0.0.11 | 8 / 19 | |
| 0.0.10 | 8 / 19 | |
| 0.0.9 | 8 / 19 | |
| 0.0.8 | 7 / 17 | |
| 0.0.7 | 7 / 17 | |
| 0.0.6 | 7 / 17 | |
| 0.0.5 | 7 / 17 | |
| 0.0.4 | 6 / 17 | |
| 0.0.3 | 6 / 17 | |
| 0.0.2 | 6 / 27 | |
| 0.0.1 | 6 / 27 |
v0.0.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.18
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-07-20. This could indicate a legitimate maintainer transition or an account compromise.
v0.0.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.15
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-04-03. This could indicate a legitimate maintainer transition or an account compromise.
v0.0.11
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-03-22. This could indicate a legitimate maintainer transition or an account compromise.
v0.0.10
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-03-10. This could indicate a legitimate maintainer transition or an account compromise.
v0.0.9
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-03-07. This could indicate a legitimate maintainer transition or an account compromise.
v0.0.8
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-02-28. This could indicate a legitimate maintainer transition or an account compromise.
v0.0.6
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-02-25. This could indicate a legitimate maintainer transition or an account compromise.
v0.0.5
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-02-23. This could indicate a legitimate maintainer transition or an account compromise.
v0.0.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-02-05. This could indicate a legitimate maintainer transition or an account compromise.
v0.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.