@bunchtogether/hash-object

[Hash Object](https://github.com/bunchtogether/hash-object) [![CircleCI](https://circleci.com/gh/bunchtogether/hash-object/tree/master.svg?style=svg)](https://circleci.com/gh/bunchtogether/hash-object/tree/master) [![npm version](https://badge.fury.io/js/

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

bunchtogether

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:farmhash.wasm	AI (dependencies): farmhash.wasm is the WebAssembly fallback for browser environments, consistent with the package's browser field in package.json. Legitimate use for cross-environment hashing support.	ai	2026/04/23
dependencies	unvetted-dep:farmhash	AI (dependencies): farmhash is a well-known Google FarmHash native binding, widely used in the Node.js ecosystem. Its use in a hashing utility is entirely expected and legitimate.	ai	2026/04/21
provenance	no-provenance	AI (provenance): No provenance is common (~88% of packages); publisher has a clean track record with 17 approved packages. Not a meaningful risk signal for this package.	ai	2026/04/21

Versions (showing 7 of 7)

Version	Deps	Published
1.0.7	1 / 33	2022-02-01
1.0.6	1 / 33	2022-02-01
1.0.5	1 / 33	2022-02-01
1.0.4	1 / 26	2022-02-01
1.0.3	1 / 25	2020-01-03
1.0.2	1 / 25	2019-03-17
1.0.0	3 / 25	2019-03-17