@makerx/node-winston — Greenflagged

A set of winston formats, console transport and logger creation functions

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

patrick.dinhmakerx-engineeringmakerxuserplebsorivatsalyagoel

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	large-new-source-files	AI (source-diff): v2.0.0 major refactor adds dual CJS/ESM build outputs; size increase is structural, not injected payload.	ai	2026/05/15
source-diff	source-size-tripled	AI (source-diff): Size increase from dual-module build artifacts and new source structure, not bundled malicious code.	ai	2026/05/15
bogus-package	bogus-package	AI (bogus-package): Legitimate MakerX org package; README and metadata style are consistent across versions, not spam.	ai	2026/04/30
phantom-deps	phantom-dep:triple-beam	AI (phantom-deps): triple-beam is a peer/transitive dep of winston; declaring it explicitly is a valid pinning pattern.	ai	2026/04/30
typosquat	typosquat.pattern:winston	AI (typosquat): Scoped @makerx package intentionally wrapping winston; not a typosquat.	ai	2026/04/28

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

2 findings

HIGH typosquat.pattern: Suspicious name similarity to 'winston' typosquat

Package name '@makerx/node-winston' matches a known typosquatting pattern (hyphen swap, prefix/suffix) of 'winston'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.