@clerk/fastify @2.6.30
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
58
Risk Score
MIT
License
No
Install Scripts
5
Dependencies
1
Dev Dependencies
9.4 KB
Package Size
Published
Clerk SDK for Fastify
Maintainers
colinclerkbradenclerknikosdouvlischanioxarisjescalanbkalowdominic-clerkmwickett
Keywords
authauthenticationpasswordlesssessionjwtfastify
Dependencies (5)
| Package | Constraint | Registry Status |
|---|---|---|
| cookies | 0.9.1 | auto_approved |
| @clerk/types | ^4.101.22 | auto_approved |
| @clerk/shared | ^3.47.4 | auto_approved |
| @clerk/backend | ^2.33.2 | pending |
| fastify-plugin | ^5.0.1 | auto_approved |
Dev Dependencies (1)
| Package | Constraint | Registry Status |
|---|---|---|
| fastify | ^5.6.1 | auto_approved |
Transitive Dependency Tree
15 transitive deps
max depth 3
├─
@clerk/backend
^2.33.2
├─
@clerk/shared
^3.47.4
→ 3.47.4
├─
@clerk/types
^4.101.22
→ 4.101.23
├─
cookies
0.9.1
→ 0.9.1
├─
fastify-plugin
^5.0.1
→ 5.1.0
├─
@clerk/shared
^3.47.5
├─
csstype
3.1.3
├─
depd
~2.0.0
→ 2.0.0
├─
dequal
2.0.3
→ 2.0.3
├─
glob-to-regexp
0.4.1
→ 0.4.1
├─
js-cookie
3.0.5
→ 3.0.5
├─
keygrip
~1.1.0
→ 1.1.0
├─
std-env
^3.9.0
├─
swr
2.3.4
→ 2.3.4
├─
dequal
^2.0.3
→ 2.0.3
├─
tsscmp
1.0.6
→ 1.0.6
├─
use-sync-external-store
^1.4.0
→ 1.6.0
Changes from v3.1.6
Dependency Changes
| Change | Package | Version |
|---|---|---|
| added | @clerk/types | ^4.101.22 |
| changed | @clerk/shared | ^4.4.0 → ^3.47.4 |
| changed | @clerk/backend | ^3.2.4 → ^2.33.2 |
Script Changes
+ publish:local - dev:pubFile Changes
2 added
10 removed
10 modified
size delta: -24.0 KB
Risk Dispositions (2 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
publisher-changed |
provenance | reject | AI | AI (provenance): Publisher changed from GitHub Actions CI to a human account with zero history; combined with dormancy and version regression, this is a strong account takeover signal. | |
dormant-publish |
publish-pattern | reject | AI | AI (publish-pattern): 1155 days of inactivity followed by a publish from a new human publisher with no track record is a strong account takeover indicator. |
SAST Findings (2)
HIGH
Publisher changed: GitHub Actions → dominic-clerk (on 2026-04-15)
provenance
This version was published by a different npm account than previous versions on 2026-04-15. This could indicate a legitimate maintainer transition or an account compromise.
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
Review Summary
Risk score: 58. Findings: 1 high (+25), 3 medium (+30), 1 low (+3), 3 info (+0).
Published to npm: