@bobfrankston/mailx MIT 8 versions

@bobfrankston/mailx

npm

Local-first email client with IMAP sync and standalone native app

8

Versions

MIT

License

Yes

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

bobfrankston

Keywords

deprecatedrenamedmoved

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
install-scripts	install-script:postinstall	AI (install-scripts): Postinstall runs a local node script, not a remote fetch; consistent with this package's documented setup pattern.	ai	2026/04/27
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): Raw IP is 127.0.0.1 in a console.log message directing users to local UI — not a network exfiltration.	ai	2026/04/27
phantom-deps	phantom-dep:quill	AI (phantom-deps): Quill referenced in config files (likely capacitor/mobile build config), not a runtime import concern.	ai	2026/04/27
phantom-deps	phantom-dep:@capacitor/cli	AI (phantom-deps): Capacitor deps are build/tooling references in config, not runtime phantom deps.	ai	2026/04/27
phantom-deps	phantom-dep:@capacitor/core	AI (phantom-deps): Capacitor deps are build/tooling references in config, not runtime phantom deps.	ai	2026/04/27
phantom-deps	phantom-dep:@capacitor/android	AI (phantom-deps): Capacitor deps are build/tooling references in config, not runtime phantom deps.	ai	2026/04/27

Versions (showing 8 of 8)

Version	Deps	Published
1.0.440	20 / 1	2026-04-29
1.0.411	20 / 1	2026-04-25
1.0.370	20 / 1	2026-04-23
1.0.304	19 / 1	2026-04-18
1.0.302	19 / 1	2026-04-18
1.0.297	19 / 1	2026-04-17
1.0.165	14 / 1	2026-04-07
1.0.151	13 / 1	2026-04-07

v1.0.411

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node bin/postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.370

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node bin/postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.304

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node bin/postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.302

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node bin/postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.297

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node bin/postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.165

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node bin/postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.151

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node bin/postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.