@spinajs/fs
wrapper for file operations
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Long-established package with consistent publish history; lack of provenance is a known stable condition. | ai | |
| dependencies | unvetted-dep:exiftool | AI (dependencies): exiftool 0.0.3 is a stable declared dependency present across prior approved versions of this package. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): spinajs monorepo publishes all packages simultaneously; rapid publish is expected behavior across 400+ versions. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Publisher has 206 approved packages with clean history; dormancy pattern is not indicative of takeover for this monorepo. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped @spinajs package; not a typosquat of 'qs'. Levenshtein match is spurious for scoped names. | ai | |
| phantom-deps | phantom-dep:exiftool | AI (phantom-deps): exiftool is a declared runtime dependency; phantom-dep false positive for this package. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): lodash is a declared runtime dependency; phantom-dep false positive for this package. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped @spinajs package; not a typosquat of 'pg'. Levenshtein match is spurious for scoped names. | ai |
Versions (showing 51 of 76)
| Version | Deps | Published |
|---|---|---|
| 2.0.470 | 10 / 4 | |
| 2.0.468 | 10 / 4 | |
| 2.0.466 | 10 / 4 | |
| 2.0.465 | 10 / 4 | |
| 2.0.464 | 10 / 4 | |
| 2.0.463 | 10 / 4 | |
| 2.0.462 | 10 / 4 | |
| 2.0.461 | 10 / 4 | |
| 2.0.460 | 10 / 4 | |
| 2.0.458 | 10 / 4 | |
| 2.0.457 | 10 / 4 | |
| 2.0.456 | 10 / 4 | |
| 2.0.455 | 10 / 4 | |
| 2.0.453 | 10 / 4 | |
| 2.0.452 | 10 / 4 | |
| 2.0.451 | 10 / 4 | |
| 2.0.450 | 10 / 4 | |
| 2.0.449 | 10 / 4 | |
| 2.0.448 | 10 / 4 | |
| 2.0.447 | 10 / 4 | |
| 2.0.446 | 10 / 4 | |
| 2.0.445 | 10 / 4 | |
| 2.0.444 | 10 / 4 | |
| 2.0.441 | 10 / 4 | |
| 2.0.439 | 10 / 4 | |
| 2.0.436 | 10 / 4 | |
| 2.0.435 | 10 / 4 | |
| 2.0.434 | 10 / 4 | |
| 2.0.432 | 10 / 4 | |
| 2.0.430 | 10 / 4 | |
| 2.0.429 | 10 / 4 | |
| 2.0.428 | 10 / 4 | |
| 2.0.427 | 10 / 4 | |
| 2.0.426 | 10 / 4 | |
| 2.0.425 | 10 / 4 | |
| 2.0.424 | 10 / 4 | |
| 2.0.423 | 10 / 4 | |
| 2.0.422 | 10 / 4 | |
| 2.0.421 | 10 / 4 | |
| 2.0.420 | 10 / 4 | |
| 2.0.419 | 10 / 4 | |
| 2.0.417 | 10 / 4 | |
| 2.0.415 | 10 / 4 | |
| 2.0.414 | 10 / 4 | |
| 2.0.413 | 10 / 4 | |
| 2.0.412 | 10 / 4 | |
| 2.0.411 | 10 / 4 | |
| 2.0.409 | 10 / 4 | |
| 2.0.408 | 10 / 4 | |
| 2.0.406 | 10 / 4 | |
| 2.0.405 | 10 / 4 |
v2.0.470
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.468
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.466
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.465
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.463
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.462
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.461
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.460
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.458
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.457
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.456
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.455
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.453
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.452
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.451
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.450
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.449
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.448
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.447
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.446
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.445
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.444
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.441
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.439
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.436
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.435
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.432
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.430
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.429
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.428
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.427
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.426
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.425
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.424
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.423
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.422
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.421
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.420
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.419
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.417
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.415
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.414
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.413
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.412
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.411
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.409
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.408
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.406
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.405
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.