@opengis/fastify-file — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

evheniihavryliukandrii.cherinsetebosurapax.deusmchernenkonikachu404serebasikkoleksandr_krizhanovskyaponaskofarizov_maximbohdana_usenko

Keywords

fastifyfileconvertgrpcs3

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:@grpc/proto-loader	AI (phantom-deps): gRPC proto-loader loaded by convention; stable false positive.	ai	2026/05/21
phantom-deps	phantom-dep:image-size	AI (phantom-deps): Utility dep referenced in config; stable false positive for this package.	ai	2026/05/21
phantom-deps	phantom-dep:@grpc/grpc-js	AI (phantom-deps): gRPC dep loaded by convention per config; stable false positive.	ai	2026/05/21
phantom-deps	phantom-dep:@aws-sdk/client-s3	AI (phantom-deps): AWS SDK loaded by convention; stable false positive for this package.	ai	2026/05/21
phantom-deps	phantom-dep:formidable	AI (phantom-deps): Framework-scoped optional dependency loaded by convention; stable false positive for this package.	ai	2026/05/21
phantom-deps	phantom-dep:fastify	AI (phantom-deps): fastify is a peer dependency in a fastify plugin; not directly imported but used via plugin registration.	ai	2026/05/12
phantom-deps	phantom-dep:undici	AI (phantom-deps): undici is a known implicit runtime dependency of fastify; stable false positive for fastify plugins.	ai	2026/05/12
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decode is used to write uploaded file content to disk — standard file upload handling, not obfuscation.	ai	2026/05/12