@insforge/sdk @1.2.3
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
50
Risk Score
—
License
No
Install Scripts
3
Dependencies
8
Dev Dependencies
7.6 KB
Package Size
Published
Maintainers
junwenfenginsforge-npmcarmendoufermioniclyutony430
Keywords
insforgebaasbackendsdktypescriptjavascriptclient
Dependencies (3)
| Package | Constraint | Registry Status |
|---|---|---|
| socket.io-client | ^4.8.1 | auto_approved |
| @supabase/postgrest-js | ^1.21.3 | pending |
| @insforge/shared-schemas | ^1.1.46 | auto_approved |
Dev Dependencies (8)
| Package | Constraint | Registry Status |
|---|---|---|
| tsup | ^8.0.2 | auto_approved |
| eslint | ^8.57.0 | auto_approved |
| vitest | ^1.3.1 | auto_approved |
| typescript | ^5.3.3 | auto_approved |
| @types/node | ^20.11.24 | auto_approved |
| @vitest/coverage-v8 | ^1.3.1 | needs_review |
| @typescript-eslint/parser | ^7.1.0 | auto_approved |
| @typescript-eslint/eslint-plugin | ^7.1.0 | auto_approved |
Transitive Dependency Tree
12 transitive deps
max depth 4
├─
@insforge/shared-schemas
^1.1.46
→ 1.1.52
├─
@supabase/postgrest-js
^1.21.3
├─
socket.io-client
^4.8.1
→ 4.8.3
├─
@socket.io/component-emitter
~3.1.0
→ 3.1.2
├─
debug
~4.4.1
→ 4.4.3
├─
engine.io-client
~6.6.1
→ 6.6.4
├─
socket.io-parser
~4.2.4
→ 4.2.6
├─
zod
^3.23.8
→ 3.25.76
├─
@socket.io/component-emitter
~3.1.0
→ 3.1.2
├─
debug
~4.4.1
→ 4.4.3
├─
engine.io-parser
~5.2.1
→ 5.2.3
├─
ms
^2.1.3
→ 2.1.3
├─
ws
~8.18.3
→ 8.18.3
├─
xmlhttprequest-ssl
~2.1.1
→ 2.1.2
├─
ms
^2.1.3
→ 2.1.3
Changes from v1.2.2
Dependency Changes
Script Changes
+ test:integration:ciFile Changes
0 added
6 removed
1 modified
size delta: -482.1 KB
Risk Dispositions (2 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
publisher-changed |
provenance | reject | AI | AI (provenance): Publisher changed to a brand-new account (tony430, 0 prior packages, first seen 9 days ago) with no track record. This is a strong takeover signal that generalizes until a legitimate transition is verified. | |
source-size-dropped |
source-diff | reject | AI | AI (source-diff): Source dropped from 204KB to 0B in the same version that saw a publisher change — strongly indicative of content replacement, consistent with a supply chain attack. |
SAST Findings (2)
HIGH
Publisher changed: fermioniclyu → tony430 (on 2026-04-04)
provenance
This version was published by a different npm account than previous versions on 2026-04-04. This could indicate a legitimate maintainer transition or an account compromise.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 50. Findings: 1 high (+25), 1 medium (+10), 5 low (+15).
Commit: 7356df018241 Browse source
Published to npm: