@huggingface/hub
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/cli-progress-XP5T6RZP.mjs | AI (source-diff): Bundled optional cli-progress dependency; readable source, just long lines from bundler. | ai | |
| source-diff | obfuscated-file:dist/browser/sha256-wrapper-6KQBPSEU.js | AI (source-diff): Vendored hash-wasm Emscripten WASM glue code; expected bundled output for this package. | ai | |
| source-diff | obfuscated-file:dist/browser/sha256-wrapper-DYTB3MXW.mjs | AI (source-diff): Vendored hash-wasm Emscripten WASM glue code; expected bundled output. | ai | |
| source-diff | obfuscated-file:dist/sha256-wrapper-ITDNMKRK.mjs | AI (source-diff): Vendored hash-wasm Emscripten WASM glue code; expected bundled output. | ai | |
| source-diff | obfuscated-file:dist/cli-progress-A335VRBC.mjs | AI (source-diff): Bundled cli-progress dependency; readable source in bundle. | ai | |
| source-diff | obfuscated-file:dist/sha256-wrapper-6SHY2YLK.mjs | AI (source-diff): Bundled WASM sha256 wrapper; emscripten output, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/cli.js | AI (source-diff): CLI for HF hub API; network + code exec is inherent to its purpose. | ai | |
| source-diff | obfuscated-file:dist/browser/sha256-wrapper-DHTT2DPH.js | AI (source-diff): Vendored hash-wasm sha256 compiled output; expected for this package. | ai | |
| source-diff | obfuscated-file:dist/browser/sha256-wrapper-RIVMC2TM.mjs | AI (source-diff): ESM variant of vendored sha256 wrapper; same as CJS sibling. | ai | |
| source-diff | obfuscated-file:dist/sha256-wrapper-RIVMC2TM.mjs | AI (source-diff): Node dist variant of vendored sha256 wrapper. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Established @huggingface org package with trusted publisher; dormancy is normal release cadence. | ai | |
| source-diff | obfuscated-file:dist/cli.js | AI (source-diff): esbuild CJS bundle for new CLI entry point; standard bundler output, not obfuscation. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): @huggingface/hub is the official Hugging Face hub client, a scoped package under the @huggingface namespace. Levenshtein comparison to 'yup' is a false positive with no impersonation intent. | ai |
Versions (showing 49 of 49)
| Version | Deps | Published |
|---|---|---|
| 2.13.3 | 2 / 1 | |
| 2.13.2 | 2 / 1 | |
| 2.13.1 | 2 / 1 | |
| 2.13.0 | 2 / 1 | |
| 2.12.0 | 2 / 1 | |
| 2.11.2 | 2 / 1 | |
| 2.11.1 | 2 / 1 | |
| 2.11.0 | 1 / 1 | |
| 2.10.8 | 1 / 1 | |
| 2.10.7 | 1 / 1 | |
| 2.10.6 | 1 / 1 | |
| 2.10.5 | 1 / 1 | |
| 2.10.4 | 1 / 1 | |
| 2.10.3 | 1 / 1 | |
| 2.10.2 | 1 / 1 | |
| 2.10.1 | 1 / 1 | |
| 2.10.0 | 1 / 1 | |
| 2.9.0 | 1 / 1 | |
| 2.8.1 | 1 / 1 | |
| 2.8.0 | 1 / 1 | |
| 2.7.2 | 1 / 1 | |
| 2.7.1 | 1 / 1 | |
| 2.7.0 | 1 / 1 | |
| 2.6.13 | 1 / 1 | |
| 2.6.12 | 1 / 1 | |
| 2.6.11 | 1 / 1 | |
| 2.6.10 | 1 / 1 | |
| 2.6.9 | 1 / 1 | |
| 2.6.8 | 1 / 1 | |
| 2.6.7 | 1 / 1 | |
| 2.6.6 | 1 / 1 | |
| 2.6.5 | 1 / 1 | |
| 2.6.4 | 1 / 1 | |
| 2.6.3 | 1 / 1 | |
| 2.6.2 | 1 / 0 | |
| 2.6.1 | 1 / 0 | |
| 2.6.0 | 1 / 0 | |
| 2.5.3 | 1 / 0 | |
| 2.5.2 | 1 / 0 | |
| 2.5.1 | 1 / 0 | |
| 2.5.0 | 1 / 0 | |
| 2.4.1 | 1 / 0 | |
| 2.4.0 | 1 / 0 | |
| 2.3.0 | 1 / 0 | |
| 2.2.0 | 1 / 0 | |
| 2.1.0 | 1 / 0 | |
| 2.0.2 | 1 / 0 | |
| 2.0.1 | 1 / 0 | |
| 2.0.0 | 1 / 0 |
v2.13.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.13.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.13.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.13.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.11.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.