@pnpm/read-project-manifest
Read a project manifest (called package.json in most cases)
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): zkochan is pnpm's founder and primary maintainer; the prior publisher 'pnpmuser' was a CI/bot account. This transition is a legitimate workflow change, not a takeover. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): The 1001.x version series is a new major version line for pnpm10; apparent dormancy reflects the versioning scheme, not account inactivity. zkochan has a long, clean publishing history. | ai | |
| provenance | no-provenance | AI (provenance): pnpm monorepo packages are published by the trusted pnpmuser account without Sigstore provenance; this is consistent across all pnpm packages and not a security concern. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 1001.2.6 | 13 / 5 | |
| 1001.2.5 | 13 / 5 | |
| 1001.2.4 | 13 / 5 | |
| 1001.2.3 | 13 / 5 | |
| 1001.2.2 | 13 / 5 | |
| 1001.2.1 | 13 / 5 | |
| 1001.2.0 | 13 / 5 | |
| 1001.1.4 | 12 / 5 | |
| 1001.1.3 | 12 / 5 | |
| 1001.1.2 | 12 / 5 | |
| 1001.1.1 | 12 / 5 | |
| 1001.1.0 | 12 / 5 | |
| 1001.0.0 | 12 / 5 |
v1001.2.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1001.2.5
2 findingsThis version was published by a different npm account than previous versions on 2026-02-17. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1001.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1001.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1001.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1001.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1001.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1001.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1001.1.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-29. This could indicate a legitimate maintainer transition or an account compromise.
v1001.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1001.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1001.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1001.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.