@powerlines/plugin-automd

A Powerlines plugin to maintain a project's markdown files using AutoMD generators.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

stormie-botsullivanpj

Keywords

automdpowerlinesstorm-softwarepowerlines-plugin

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	source-size-tripled	AI (source-diff): 50x size increase explained by bundling jiti (2.3MB), untyped, acorn into dist/node_modules. Legitimate architectural change from runtime dep to self-bundled deps.	ai	2026/04/27
source-diff	net-exec-file:dist/node_modules/.pnpm/[email protected]/node_modules/lodash.deburr/index.cjs	AI (source-diff): lodash.deburr is a well-known lodash utility; net-exec flag is a false positive from rolldown bundler wrapping pattern. No actual network calls in lodash.deburr.	ai	2026/04/27
source-diff	obfuscated-file:dist/node_modules/.pnpm/[email protected]/node_modules/jiti/dist/jiti.cjs	AI (source-diff): jiti's main dist file is minified by design; legitimate package bundled as transitive dep.	ai	2026/04/27
source-diff	obfuscated-file:dist/node_modules/.pnpm/[email protected]/node_modules/jiti/dist/babel.mjs	AI (source-diff): ESM variant of jiti babel dist; minified by design. Legitimate package.	ai	2026/04/27
source-diff	net-exec-file:dist/node_modules/.pnpm/[email protected]/node_modules/jiti/dist/babel.mjs	AI (source-diff): ESM variant of jiti babel dist; net+exec is inherent to jiti's design as a runtime loader.	ai	2026/04/27
source-diff	obfuscated-file:dist/node_modules/.pnpm/[email protected]/node_modules/untyped/dist/loader/babel.mjs	AI (source-diff): ESM variant of untyped babel loader; minified by design. Legitimate package.	ai	2026/04/27
source-diff	net-exec-file:dist/node_modules/.pnpm/[email protected]/node_modules/lodash.deburr/index.mjs	AI (source-diff): ESM variant of lodash.deburr; net-exec flag is false positive from rolldown bundler wrapping.	ai	2026/04/27
source-diff	obfuscated-file:dist/node_modules/.pnpm/[email protected]/node_modules/jiti/dist/jiti.mjs	AI (source-diff): ESM variant of jiti main dist; minified by design. Legitimate package.	ai	2026/04/27
source-diff	large-new-source-files	AI (source-diff): Large file count increase is due to bundling transitive deps (jiti, untyped, acorn, lodash.deburr) into dist/node_modules, replacing removed 'powerlines' runtime dep. Architectural change, not injection.	ai	2026/04/27
source-diff	obfuscated-file:dist/node_modules/.pnpm/[email protected]/node_modules/jiti/dist/babel.cjs	AI (source-diff): jiti is a legitimate TypeScript/ESM runtime loader; its dist files are minified by design. Bundled into package dist as a transitive dep replacement for removed 'powerlines' runtime dep.	ai	2026/04/27
source-diff	net-exec-file:dist/node_modules/.pnpm/[email protected]/node_modules/jiti/dist/babel.cjs	AI (source-diff): jiti's core purpose is dynamic code loading/execution; net+exec pattern is inherent to its design, not malicious. Legitimate well-known package bundled as transitive dep.	ai	2026/04/27
source-diff	obfuscated-file:dist/node_modules/.pnpm/[email protected]/node_modules/untyped/dist/loader/babel.cjs	AI (source-diff): untyped is a legitimate schema generation package from the UnJS ecosystem; minified dist files are expected. Bundled as transitive dep.	ai	2026/04/27
phantom-deps	phantom-dep:@stryke/convert	AI (phantom-deps): @stryke/convert is a declared runtime dependency used in config files; phantom-dep false positive for this plugin package pattern.	ai	2026/04/27
provenance	publisher-changed	AI (provenance): Transition from stormie-bot to GitHub Actions is a documented CI/CD migration for Storm Software packages; SLSA provenance attestation confirms pipeline integrity.	ai	2026/04/27
phantom-deps	phantom-dep:defu	AI (phantom-deps): defu is a declared runtime dependency used in config files; phantom-dep false positive for this plugin package pattern.	ai	2026/04/27
phantom-deps	phantom-dep:powerlines	AI (phantom-deps): powerlines is a declared runtime dependency used in config files; phantom-dep false positive for this plugin package pattern.	ai	2026/04/27
phantom-deps	phantom-dep:@stryke/path	AI (phantom-deps): @stryke/path is a declared runtime dependency used in config files; phantom-dep false positive for this plugin package pattern.	ai	2026/04/27
phantom-deps	phantom-dep:markdown-toc	AI (phantom-deps): markdown-toc is a declared runtime dependency used in config files; phantom-dep false positive for this plugin package pattern.	ai	2026/04/27
phantom-deps	phantom-dep:@stryke/types	AI (phantom-deps): @stryke/types is a type-only dependency from Storm Software's own ecosystem; config-file-only references are expected for TypeScript type packages.	ai	2026/04/25
phantom-deps	phantom-dep:@stryke/type-checks	AI (phantom-deps): @stryke/type-checks is a type-only dependency from Storm Software's own ecosystem; config-file-only references are expected for TypeScript type packages.	ai	2026/04/25

Versions (showing 100 of 562)

Version	Deps	Published
0.1.268	9 / 3	2026-02-05
0.1.267	9 / 3	2026-02-03
0.1.266	9 / 3	2026-02-03
0.1.265	9 / 3	2026-02-02
0.1.264	9 / 3	2026-02-01
0.1.263	9 / 3	2026-02-01
0.1.262	9 / 3	2026-02-01
0.1.261	9 / 3	2026-02-01
0.1.260	9 / 3	2026-02-01
0.1.259	9 / 3	2026-02-01
0.1.258	9 / 3	2026-02-01
0.1.257	9 / 3	2026-01-30
0.1.256	9 / 3	2026-01-30
0.1.255	9 / 3	2026-01-30
0.1.254	9 / 3	2026-01-30
0.1.238	9 / 3	2026-01-27
0.1.237	9 / 3	2026-01-27
0.1.236	9 / 3	2026-01-27
0.1.235	9 / 3	2026-01-27
0.1.234	9 / 3	2026-01-27
0.1.233	9 / 3	2026-01-27
0.1.232	9 / 3	2026-01-27
0.1.231	9 / 3	2026-01-27
0.1.230	9 / 3	2026-01-27
0.1.229	9 / 3	2026-01-27
0.1.228	9 / 3	2026-01-25
0.1.227	9 / 3	2026-01-25
0.1.226	9 / 3	2026-01-25
0.1.225	9 / 3	2026-01-25
0.1.224	9 / 3	2026-01-25
0.1.223	9 / 3	2026-01-25
0.1.222	9 / 3	2026-01-25
0.1.221	9 / 3	2026-01-24
0.1.220	9 / 3	2026-01-24
0.1.219	9 / 3	2026-01-24
0.1.218	9 / 3	2026-01-24
0.1.217	9 / 3	2026-01-24
0.1.216	9 / 3	2026-01-24
0.1.215	9 / 3	2026-01-24
0.1.214	9 / 3	2026-01-23
0.1.213	9 / 3	2026-01-23
0.1.212	9 / 3	2026-01-23
0.1.211	9 / 3	2026-01-23
0.1.210	9 / 3	2026-01-23
0.1.209	9 / 3	2026-01-23
0.1.208	9 / 3	2026-01-23
0.1.207	9 / 3	2026-01-22
0.1.206	9 / 3	2026-01-22
0.1.205	9 / 3	2026-01-22
0.1.204	9 / 3	2026-01-22
0.1.203	9 / 3	2026-01-22
0.1.202	9 / 3	2026-01-22
0.1.201	9 / 3	2026-01-22
0.1.200	9 / 3	2026-01-22
0.1.199	9 / 3	2026-01-22
0.1.198	9 / 3	2026-01-22
0.1.197	9 / 3	2026-01-21
0.1.196	9 / 3	2026-01-21
0.1.195	9 / 3	2026-01-21
0.1.194	9 / 3	2026-01-21
0.1.193	9 / 3	2026-01-21
0.1.192	9 / 3	2026-01-21
0.1.191	9 / 3	2026-01-20
0.1.190	9 / 3	2026-01-20
0.1.189	9 / 3	2026-01-20
0.1.188	9 / 3	2026-01-20
0.1.187	9 / 3	2026-01-20
0.1.186	9 / 3	2026-01-20
0.1.185	9 / 3	2026-01-20
0.1.184	9 / 3	2026-01-20
0.1.183	9 / 3	2026-01-20
0.1.182	9 / 3	2026-01-20
0.1.181	9 / 3	2026-01-20
0.1.180	9 / 3	2026-01-20
0.1.179	9 / 3	2026-01-20
0.1.178	9 / 3	2026-01-19
0.1.177	9 / 3	2026-01-19
0.1.176	9 / 3	2026-01-19
0.1.175	9 / 3	2026-01-19
0.1.174	9 / 3	2026-01-18
0.1.173	9 / 3	2026-01-18
0.1.172	9 / 3	2026-01-16
0.1.171	9 / 3	2026-01-16
0.1.170	9 / 3	2026-01-16
0.1.169	9 / 3	2026-01-15
0.1.168	9 / 3	2026-01-15
0.1.167	9 / 3	2026-01-15
0.1.166	9 / 3	2026-01-15
0.1.164	9 / 3	2026-01-15
0.1.163	9 / 3	2026-01-15
0.1.162	9 / 3	2026-01-15
0.1.161	9 / 3	2026-01-15
0.1.160	9 / 3	2026-01-15
0.1.159	9 / 3	2026-01-15
0.1.158	9 / 3	2026-01-15
0.1.157	9 / 3	2026-01-15
0.1.156	9 / 3	2026-01-15
0.1.155	9 / 3	2026-01-15
0.1.154	9 / 3	2026-01-14
0.1.153	9 / 3	2026-01-14

Showing 100 of 562 Next page →

v0.1.265

12 findings

HIGH Publisher changed: stormie-bot → GitHub Actions (on 2026-02-02) provenance

This version was published by a different npm account than previous versions on 2026-02-02. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/node_modules/.pnpm/[email protected]/node_modules/jiti/dist/babel.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/node_modules/.pnpm/[email protected]/node_modules/jiti/dist/babel.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/node_modules/.pnpm/[email protected]/node_modules/untyped/dist/loader/babel.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/node_modules/.pnpm/[email protected]/node_modules/lodash.deburr/index.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/node_modules/.pnpm/[email protected]/node_modules/jiti/dist/jiti.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/node_modules/.pnpm/[email protected]/node_modules/jiti/dist/babel.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/node_modules/.pnpm/[email protected]/node_modules/jiti/dist/babel.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/node_modules/.pnpm/[email protected]/node_modules/untyped/dist/loader/babel.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/node_modules/.pnpm/[email protected]/node_modules/lodash.deburr/index.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/node_modules/.pnpm/[email protected]/node_modules/jiti/dist/jiti.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.264

12 findings

HIGH Publisher changed: stormie-bot → GitHub Actions (on 2026-02-01) provenance

This version was published by a different npm account than previous versions on 2026-02-01. This could indicate a legitimate maintainer transition or an account compromise.