@murumets-ee/queue
Postgres-backed job queue — enqueue, poll, retry, dead letter, scheduled jobs, and worker lifecycle.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Size increase explained by new email-alert feature and additional bundled chunks; consistent with added deps. | ai | |
| source-diff | obfuscated-file:dist/publish-DbJyLqlZ.mjs | AI (source-diff): Standard tsdown/ESM bundle output; samples show cron/schedule utilities, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/client-4Cs7KQC8.mjs | AI (source-diff): Standard tsdown/ESM bundle output; samples show queue client logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/plugin-BAEIELKb.mjs | AI (source-diff): Minified tsdown bundle output; content is readable queue plugin logic, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/client-DGuMqpVs.mjs | AI (source-diff): Standard tsdown/Vite chunked ESM bundle output; samples show readable queue client logic. | ai | |
| source-diff | obfuscated-file:dist/plugin-DH_L2vUi.mjs | AI (source-diff): Standard tsdown/Vite chunked ESM bundle output; samples show readable plugin/config logic. | ai | |
| source-diff | obfuscated-file:dist/plugin-DJoWNImU.mjs | AI (source-diff): Standard tsdown/rollup bundler output; samples show readable plugin/config logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/admin.mjs | AI (source-diff): Standard tsdown/rollup bundler output; samples show readable queue admin logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/client-BhpX1nlR.mjs | AI (source-diff): Standard tsdown/rollup bundler output; samples show readable queue client logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/publish-DwRTZWJN.mjs | AI (source-diff): Standard tsdown/rollup bundler output; samples show readable cron/schedule logic, no malicious patterns. | ai | |
| phantom-deps | phantom-dep:@murumets-ee/mail | AI (phantom-deps): Same org-scoped dep used transitively via bundled dist; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/client.cjs | AI (source-diff): tsup-generated minified CJS bundle; content is readable cron/backoff logic, no malicious patterns. | ai | |
| phantom-deps | phantom-dep:@murumets-ee/logging | AI (phantom-deps): Same-org sibling package; likely used transitively or in build tooling rather than direct import. | ai | |
| phantom-deps | phantom-dep:@murumets-ee/core | AI (phantom-deps): Same-org sibling package; likely used transitively or in build tooling rather than direct import. | ai | |
| source-diff | obfuscated-file:dist/worker.cjs | AI (source-diff): tsup-generated minified CJS bundle; content is readable cron/backoff logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/plugin.cjs | AI (source-diff): tsup-generated minified CJS bundle; content is drizzle-orm schema definitions, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/index.cjs | AI (source-diff): tsup-generated minified CJS bundle; content is drizzle-orm schema definitions, no malicious patterns. | ai |
Versions (showing 40 of 40)
| Version | Deps | Published |
|---|---|---|
| 0.23.2 | 6 / 4 | |
| 0.23.1 | 6 / 4 | |
| 0.23.0 | 6 / 4 | |
| 0.22.1 | 6 / 4 | |
| 0.22.0 | 6 / 4 | |
| 0.21.1 | 6 / 4 | |
| 0.20.0 | 6 / 4 | |
| 0.17.1 | 6 / 4 | |
| 0.17.0 | 6 / 4 | |
| 0.16.4 | 6 / 4 | |
| 0.15.4 | 6 / 4 | |
| 0.15.3 | 6 / 4 | |
| 0.15.1 | 6 / 4 | |
| 0.15.0 | 6 / 4 | |
| 0.14.0 | 6 / 4 | |
| 0.13.3 | 6 / 4 | |
| 0.13.2 | 6 / 4 | |
| 0.13.1 | 6 / 4 | |
| 0.13.0 | 6 / 4 | |
| 0.12.0 | 6 / 4 | |
| 0.11.0 | 4 / 4 | |
| 0.10.0 | 4 / 4 | |
| 0.8.0 | 4 / 4 | |
| 0.7.0 | 4 / 4 | |
| 0.6.1 | 4 / 4 | |
| 0.5.1 | 4 / 4 | |
| 0.5.0 | 4 / 4 | |
| 0.4.8 | 4 / 4 | |
| 0.4.6 | 4 / 4 | |
| 0.4.5 | 4 / 4 | |
| 0.4.0 | 4 / 4 | |
| 0.3.0 | 4 / 4 | |
| 0.2.0 | 4 / 4 | |
| 0.1.6 | 4 / 4 | |
| 0.1.5 | 4 / 4 | |
| 0.1.4 | 4 / 4 | |
| 0.1.3 | 4 / 4 | |
| 0.1.2 | 4 / 4 | |
| 0.1.1 | 4 / 4 | |
| 0.1.0 | 4 / 4 |
v0.23.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.23.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.23.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.1
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.20.0
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.1
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.0
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.4
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.4
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.3
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.1
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.0
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.0
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.3
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.2
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.1
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.0
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranx2k.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.