@drifted/qa — Greenflagged

this is sort of meant to be like test helpers that are default in rails. just stuff I normally use that allows me to test quickly.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ussballantyne

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): Small internal test-helper package; lack of Sigstore provenance is not a disqualifier here.	ai	2026/05/05
bogus-package	bogus-package	AI (bogus-package): Private/internal scoped package; sparse metadata is expected, not indicative of spam or malice.	ai	2026/05/04
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic requires use path.join(__dirname, ...) with string literals to load local files — not user-controlled input.	ai	2026/04/30
typosquat	typosquat.levenshtein:qs	AI (typosquat): Scoped package @drifted/qa is a personal test-helper library, not a typosquat of qs.	ai	2026/04/29
phantom-deps	phantom-dep:handlebars	AI (phantom-deps): Handlebars declared as dependency and referenced in config; phantom-dep heuristic misfires here.	ai	2026/04/29
typosquat	typosquat.levenshtein:koa	AI (typosquat): 2-edit distance from koa is coincidental; package is clearly a scoped test utility.	ai	2026/04/29
typosquat	typosquat.levenshtein:pg	AI (typosquat): 2-edit distance from pg is coincidental; package is clearly a scoped test utility.	ai	2026/04/29