@memlab/api — Greenflagged

memlab API

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

npm-memlabjacksonglmeta-memlab

Keywords

memlabmemoryleakapie2ebrowserheapsnapshotanalysisplugin

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@memlab/e2e	AI (dependencies): Sibling package in the facebook/memlab monorepo; same publisher and trust context.	ai	2026/05/14
provenance	no-provenance	AI (provenance): Established Meta OSS package; lack of Sigstore attestation is common and not a risk indicator here.	ai	2026/05/14
typosquat	typosquat.levenshtein:joi	AI (typosquat): Scoped package @memlab/api from Meta's memlab project; not a typosquat of joi.	ai	2026/04/29
typosquat	typosquat.levenshtein:ajv	AI (typosquat): Scoped package @memlab/api from Meta's memlab project; not a typosquat of ajv.	ai	2026/04/29
phantom-deps	phantom-dep:ansi	AI (phantom-deps): Declared dep used transitively or in config; stable false positive for this monorepo package.	ai	2026/04/29
phantom-deps	phantom-dep:xvfb	AI (phantom-deps): xvfb used for headless browser testing; referenced in config, not directly imported in JS.	ai	2026/04/29
typosquat	typosquat.levenshtein:hapi	AI (typosquat): Scoped package @memlab/api from Meta's memlab project; not a typosquat of hapi.	ai	2026/04/29
phantom-deps	phantom-dep:chalk	AI (phantom-deps): Declared dep for terminal coloring; stable false positive for this package.	ai	2026/04/29
phantom-deps	phantom-dep:string-width	AI (phantom-deps): Declared dep; stable false positive for this package.	ai	2026/04/29
phantom-deps	phantom-dep:util.promisify	AI (phantom-deps): Declared dep; stable false positive for this package.	ai	2026/04/29
phantom-deps	phantom-dep:babar	AI (phantom-deps): Declared dep for CLI chart rendering; stable false positive for this package.	ai	2026/04/29
typosquat	typosquat.levenshtein:pg	AI (typosquat): Scoped package @memlab/api from Meta's memlab project; not a typosquat of pg.	ai	2026/04/29

Versions (showing 4 of 4)

Version	Deps	Published
2.0.3	13 / 7	2026-05-27
2.0.2	13 / 7	2026-04-26
2.0.1	13 / 7	2026-04-16
2.0.0	13 / 7	2026-01-02

v2.0.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.2

2 findings

HIGH typosquat.levenshtein: Possible typosquat of 'hapi' typosquat

Package name '@memlab/api' is 1 edit(s) away from popular package 'hapi'.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.