@moneybutton/logger
Money Button isomorphic logger.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher change from ryanxcharles to calvo.generico occurred in 2019 — over 6 years ago. calvo.generico has 117 approved packages and is a long-standing publisher. Clearly a legitimate transition. | ai | |
| source-diff | net-exec-file:dist/mb-logger.umd.js | AI (source-diff): The flagged file is a standard webpack UMD bundle for a browser logger. The sample shows only webpack boilerplate (__webpack_require__, UMD wrapper). No actual malicious network or exec behavior present. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is explained by addition of a UMD browser bundle (261KB). Package.json confirms rollup build pipeline producing multiple bundle formats; this is expected for a browser-compatible logger. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): @babel/runtime is a standard runtime dependency used by babel plugin-transform-runtime; it is injected by the build toolchain rather than directly imported in source. | ai |
Versions (showing 41 of 41)
| Version | Deps | Published |
|---|---|---|
| 0.38.8 | 3 / 18 | |
| 0.38.7 | 3 / 18 | |
| 0.38.5 | 3 / 18 | |
| 0.38.4 | 3 / 18 | |
| 0.38.3 | 3 / 18 | |
| 0.38.2 | 3 / 18 | |
| 0.38.1 | 3 / 18 | |
| 0.37.0 | 3 / 18 | |
| 0.36.0 | 3 / 18 | |
| 0.35.0 | 3 / 18 | |
| 0.34.0 | 3 / 18 | |
| 0.33.0 | 3 / 18 | |
| 0.32.0 | 3 / 20 | |
| 0.31.3 | 3 / 20 | |
| 0.31.2 | 3 / 20 | |
| 0.31.1 | 3 / 20 | |
| 0.31.0 | 3 / 20 | |
| 0.30.1 | 3 / 20 | |
| 0.30.0 | 3 / 20 | |
| 0.28.1 | 3 / 20 | |
| 0.28.0 | 3 / 20 | |
| 0.27.0 | 3 / 20 | |
| 0.26.0 | 3 / 20 | |
| 0.25.0 | 3 / 20 | |
| 0.24.4 | 3 / 20 | |
| 0.24.3 | 3 / 20 | |
| 0.24.2 | 3 / 20 | |
| 0.24.0 | 3 / 20 | |
| 0.23.0 | 3 / 21 | |
| 0.22.2 | 3 / 21 | |
| 0.21.11 | 3 / 21 | |
| 0.21.9 | 3 / 21 | |
| 0.21.8 | 3 / 21 | |
| 0.21.7 | 3 / 21 | |
| 0.21.5 | 3 / 21 | |
| 0.21.3 | 3 / 21 | |
| 0.21.2 | 3 / 21 | |
| 0.21.1 | 3 / 21 | |
| 0.1.8 | 3 / 21 | |
| 0.1.7 | 3 / 21 | |
| 0.1.0 | 3 / 20 |
v0.38.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.7
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-07-08. This could indicate a legitimate maintainer transition or an account compromise.
v0.38.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.3
3 findingsThis version was published by a different npm account than previous versions on 2020-05-04. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.2
3 findingsThis version was published by a different npm account than previous versions on 2020-04-29. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-04-06. This could indicate a legitimate maintainer transition or an account compromise.
v0.37.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.36.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-03-06. This could indicate a legitimate maintainer transition or an account compromise.
v0.35.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.34.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.33.0
2 findingsThis version was published by a different npm account than previous versions on 2020-02-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.32.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-11-14. This could indicate a legitimate maintainer transition or an account compromise.
v0.31.0
2 findingsThis version was published by a different npm account than previous versions on 2019-11-13. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.25.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-08-23. This could indicate a legitimate maintainer transition or an account compromise.
v0.24.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-08-21. This could indicate a legitimate maintainer transition or an account compromise.
v0.24.0
3 findingsThis version was published by a different npm account than previous versions on 2019-08-02. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.23.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.2
2 findingsThis version was published by a different npm account than previous versions on 2019-06-10. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.7
3 findingsThis version was published by a different npm account than previous versions on 2019-04-29. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.3
2 findingsThis version was published by a different npm account than previous versions on 2019-03-03. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.21.1
3 findingsThis version was published by a different npm account than previous versions on 2019-02-10. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.7
2 findingsThis version was published by a different npm account than previous versions on 2018-11-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.