@rosen-bridge/fastify-enhanced
a wrapper around fastify web framework to make it even better
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/logger.js | AI (source-diff): File is clean TypeScript-compiled ESM with comments; long-line trigger is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): zod is a declared runtime dep used via fastify-zod-openapi integration; phantom-dep is a false positive for this package. | ai | |
| dependencies | unvetted-dep:fastify-zod-openapi | AI (dependencies): fastify-zod-openapi is a well-known Fastify/Zod OpenAPI integration library; stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Established org package; lack of provenance is common and not a risk signal here. | ai |
v3.2.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.