@rh-support/user-permissions
For managing user permissions
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): gisoni added to an established Red Hat internal package; publisher bkale is a known maintainer with strong track record. | ai | |
| dependencies | unvetted-dep:@cee-eng/hydrajs | AI (dependencies): Internal Red Hat/CEE package consistently used across approved versions of this org's packages. | ai | |
| provenance | no-provenance | AI (provenance): Established internal Red Hat package; provenance not configured in their CI pipeline but no other risk signals present. | ai |
Versions (showing 27 of 27)
| Version | Deps | Published |
|---|---|---|
| 2.5.111 | 6 / 6 | |
| 2.5.101 | 6 / 6 | |
| 2.5.100 | 6 / 6 | |
| 2.5.87 | 6 / 6 | |
| 2.5.86 | 6 / 6 | |
| 2.5.64 | 6 / 6 | |
| 2.5.63 | 6 / 6 | |
| 2.5.62 | 6 / 6 | |
| 2.5.49 | 6 / 6 | |
| 2.5.48 | 6 / 6 | |
| 2.5.47 | 6 / 6 | |
| 2.5.46 | 6 / 6 | |
| 2.5.32 | 6 / 6 | |
| 2.5.31 | 6 / 6 | |
| 2.5.27 | 6 / 6 | |
| 2.5.26 | 6 / 6 | |
| 2.5.25 | 6 / 6 | |
| 2.5.22 | 6 / 6 | |
| 2.5.20 | 6 / 6 | |
| 2.5.19 | 6 / 6 | |
| 2.5.18 | 6 / 6 | |
| 2.5.17 | 6 / 6 | |
| 2.5.16 | 6 / 6 | |
| 2.5.15 | 6 / 6 | |
| 2.5.14 | 6 / 6 | |
| 2.5.13 | 6 / 6 | |
| 2.5.12 | 6 / 6 |
v2.5.111
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (bkale) than the most recent previously approved version (anujsi) on 2026-06-04, but bkale is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.5.101
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (anujsi) than the most recent previously approved version (arajak) on 2026-04-26, but anujsi is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.5.100
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.87
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.86
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.64
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.63
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.62
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.49
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.48
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.47
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.46
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.32
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.31
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.