All @redhat-cloud-services/tsc-transform-imports versions
@redhat-cloud-services/tsc-transform-imports @1.2.2
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
60
Risk Score
—
License
No
Install Scripts
1
Dependencies
0
Dev Dependencies
927.5 KB
Package Size
Published
Maintainers
jozefhartingerkarelhalahyperkidflorkbrchmulder
Dependencies (1)
| Package | Constraint | Registry Status |
|---|---|---|
| glob | 10.5.0 | auto_approved |
Transitive Dependency Tree
28 transitive deps
max depth 5
├─
glob
10.5.0
→ 10.5.0
├─
foreground-child
^3.1.0
→ 3.3.1
├─
jackspeak
^3.1.2
→ 3.4.3
├─
minimatch
^9.0.4
→ 9.0.9
├─
minipass
^7.1.2
→ 7.1.3
├─
package-json-from-dist
^1.0.0
→ 1.0.1
├─
path-scurry
^1.11.1
→ 1.11.1
├─
@isaacs/cliui
^8.0.2
→ 8.0.2
├─
brace-expansion
^2.0.2
→ 2.1.1
├─
cross-spawn
^7.0.6
→ 7.0.6
├─
lru-cache
^10.2.0
→ 10.4.3
├─
signal-exit
^4.0.1
→ 4.1.0
├─
balanced-match
^1.0.0
→ 1.0.2
├─
path-key
^3.1.0
→ 3.1.1
├─
shebang-command
^2.0.0
→ 2.0.0
├─
string-width
^5.1.2
→ 5.1.2
├─
string-width-cjs
npm:string-width@^4.2.0
├─
strip-ansi
^7.0.1
→ 7.2.0
├─
strip-ansi-cjs
npm:strip-ansi@^6.0.1
├─
which
^2.0.1
→ 2.0.2
├─
wrap-ansi
^8.1.0
→ 8.1.0
├─
wrap-ansi-cjs
npm:wrap-ansi@^7.0.0
├─
ansi-regex
^6.2.2
→ 6.2.2
├─
ansi-styles
^6.1.0
→ 6.2.3
├─
eastasianwidth
^0.2.0
→ 0.2.0
├─
emoji-regex
^9.2.2
├─
isexe
^2.0.0
→ 2.0.0
├─
shebang-regex
^3.0.0
Changes from v1.2.1
Dependency Changes
Script Changes
+ preinstallFile Changes
0 added
0 removed
2 modified
size delta: +4184.6 KB
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
install-script:preinstall |
— | reject | sean | redhat-cloud-services supply-chain compromise (2026-06-01): injected preinstall hook. Auto-reject any version with a preinstall script. |
SAST Findings (3)
HIGH
Package has 'preinstall' script
install-scripts
Script: node index.js
HIGH
Missing gitHead — previous versions had it
provenance
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
Review Summary
Risk score: 60. Findings: 2 high (+50), 1 medium (+10), 2 info (+0).
Published to npm: