← Home

@huggingface/hub

49
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

julien-cpierriccoyotte508xenovagary149

Keywords

apiclientfacehubhugginghuggingface

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/cli-progress-XP5T6RZP.mjs AI (source-diff): Bundled optional cli-progress dependency; readable source, just long lines from bundler. ai
source-diff obfuscated-file:dist/browser/sha256-wrapper-6KQBPSEU.js AI (source-diff): Vendored hash-wasm Emscripten WASM glue code; expected bundled output for this package. ai
source-diff obfuscated-file:dist/browser/sha256-wrapper-DYTB3MXW.mjs AI (source-diff): Vendored hash-wasm Emscripten WASM glue code; expected bundled output. ai
source-diff obfuscated-file:dist/sha256-wrapper-ITDNMKRK.mjs AI (source-diff): Vendored hash-wasm Emscripten WASM glue code; expected bundled output. ai
source-diff obfuscated-file:dist/cli-progress-A335VRBC.mjs AI (source-diff): Bundled cli-progress dependency; readable source in bundle. ai
source-diff obfuscated-file:dist/sha256-wrapper-6SHY2YLK.mjs AI (source-diff): Bundled WASM sha256 wrapper; emscripten output, not obfuscation. ai
source-diff net-exec-file:dist/cli.js AI (source-diff): CLI for HF hub API; network + code exec is inherent to its purpose. ai
source-diff obfuscated-file:dist/browser/sha256-wrapper-DHTT2DPH.js AI (source-diff): Vendored hash-wasm sha256 compiled output; expected for this package. ai
source-diff obfuscated-file:dist/browser/sha256-wrapper-RIVMC2TM.mjs AI (source-diff): ESM variant of vendored sha256 wrapper; same as CJS sibling. ai
source-diff obfuscated-file:dist/sha256-wrapper-RIVMC2TM.mjs AI (source-diff): Node dist variant of vendored sha256 wrapper. ai
publish-pattern dormant-publish AI (publish-pattern): Established @huggingface org package with trusted publisher; dormancy is normal release cadence. ai
source-diff obfuscated-file:dist/cli.js AI (source-diff): esbuild CJS bundle for new CLI entry point; standard bundler output, not obfuscation. ai
typosquat typosquat.levenshtein:yup AI (typosquat): @huggingface/hub is the official Hugging Face hub client, a scoped package under the @huggingface namespace. Levenshtein comparison to 'yup' is a false positive with no impersonation intent. ai

Versions (showing 49 of 49)

Version Deps Published
2.13.3 2 / 1
2.13.2 2 / 1
2.13.1 2 / 1
2.13.0 2 / 1
2.12.0 2 / 1
2.11.2 2 / 1
2.11.1 2 / 1
2.11.0 1 / 1
2.10.8 1 / 1
2.10.7 1 / 1
2.10.6 1 / 1
2.10.5 1 / 1
2.10.4 1 / 1
2.10.3 1 / 1
2.10.2 1 / 1
2.10.1 1 / 1
2.10.0 1 / 1
2.9.0 1 / 1
2.8.1 1 / 1
2.8.0 1 / 1
2.7.2 1 / 1
2.7.1 1 / 1
2.7.0 1 / 1
2.6.13 1 / 1
2.6.12 1 / 1
2.6.11 1 / 1
2.6.10 1 / 1
2.6.9 1 / 1
2.6.8 1 / 1
2.6.7 1 / 1
2.6.6 1 / 1
2.6.5 1 / 1
2.6.4 1 / 1
2.6.3 1 / 1
2.6.2 1 / 0
2.6.1 1 / 0
2.6.0 1 / 0
2.5.3 1 / 0
2.5.2 1 / 0
2.5.1 1 / 0
2.5.0 1 / 0
2.4.1 1 / 0
2.4.0 1 / 0
2.3.0 1 / 0
2.2.0 1 / 0
2.1.0 1 / 0
2.0.2 1 / 0
2.0.1 1 / 0
2.0.0 1 / 0

v2.13.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.13.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.13.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.13.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.11.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.