@stryke/fs
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher changed from stormie-bot to GitHub Actions — consistent with legitimate migration to OIDC-based CI/CD publishing. SLSA provenance attestation corroborates authenticity. Stable for this package. | ai | |
| source-diff | obfuscated-file:dist/file-path-fns-7aKacdLg.cjs | AI (source-diff): File is minified bundler output (tsdown/Rollup CJS chunk) implementing standard path utilities. No obfuscation or malicious patterns present; content-hashed filenames are normal for this build toolchain. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large file count increase is consistent with bundling previously-external deps internally and expanding export surface; no injected malicious code detected. | ai | |
| phantom-deps | phantom-dep:@stryke/helpers | AI (phantom-deps): Same-org scoped dependency; may be used indirectly or re-exported; phantom-dep is expected in monorepo packages. | ai | |
| phantom-deps | phantom-dep:@stryke/string-format | AI (phantom-deps): Same-org scoped dependency; may be used indirectly or re-exported; phantom-dep is expected in monorepo packages. | ai | |
| phantom-deps | phantom-dep:@stryke/convert | AI (phantom-deps): Same-org scoped dependency; may be used indirectly or re-exported; phantom-dep is expected in monorepo packages. | ai | |
| phantom-deps | phantom-dep:chalk | AI (phantom-deps): chalk is declared and used in config/build context; phantom-dep finding is expected for build-time dependencies. | ai | |
| phantom-deps | phantom-dep:@stryke/path | AI (phantom-deps): Same-org scoped dependency; may be used indirectly or re-exported; phantom-dep is expected in monorepo packages. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped package @stryke/fs is not a typosquat of 'qs'; Levenshtein comparison of scoped names to short unrelated packages produces false positives for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Legitimate monorepo utility package from storm-software/stryke; cosmetic README/keyword issues are not security concerns. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped package @stryke/fs is not a typosquat of 'pg'; same false-positive pattern as the qs finding. | ai |
Versions (showing 51 of 155)
| Version | Deps | Published |
|---|---|---|
| 0.33.85 | 18 / 3 | |
| 0.33.84 | 18 / 3 | |
| 0.33.83 | 18 / 3 | |
| 0.33.82 | 18 / 3 | |
| 0.33.81 | 18 / 3 | |
| 0.33.80 | 18 / 3 | |
| 0.33.79 | 18 / 3 | |
| 0.33.78 | 18 / 3 | |
| 0.33.77 | 18 / 3 | |
| 0.33.76 | 18 / 3 | |
| 0.33.75 | 18 / 3 | |
| 0.33.74 | 18 / 3 | |
| 0.33.73 | 18 / 3 | |
| 0.33.72 | 15 / 3 | |
| 0.33.71 | 15 / 3 | |
| 0.33.70 | 14 / 5 | |
| 0.33.69 | 14 / 5 | |
| 0.33.68 | 14 / 5 | |
| 0.33.67 | 14 / 5 | |
| 0.33.66 | 14 / 5 | |
| 0.33.65 | 14 / 5 | |
| 0.33.64 | 14 / 5 | |
| 0.33.63 | 14 / 5 | |
| 0.33.62 | 14 / 5 | |
| 0.33.61 | 14 / 5 | |
| 0.33.60 | 14 / 5 | |
| 0.33.59 | 14 / 5 | |
| 0.33.58 | 14 / 5 | |
| 0.33.57 | 14 / 5 | |
| 0.33.56 | 14 / 5 | |
| 0.33.55 | 14 / 5 | |
| 0.33.54 | 14 / 5 | |
| 0.33.53 | 14 / 5 | |
| 0.33.50 | 14 / 5 | |
| 0.33.49 | 14 / 5 | |
| 0.33.48 | 14 / 5 | |
| 0.33.47 | 14 / 5 | |
| 0.33.46 | 14 / 5 | |
| 0.33.45 | 14 / 5 | |
| 0.33.44 | 14 / 5 | |
| 0.33.43 | 14 / 5 | |
| 0.33.42 | 14 / 5 | |
| 0.33.40 | 14 / 5 | |
| 0.33.39 | 14 / 5 | |
| 0.33.38 | 14 / 5 | |
| 0.33.37 | 14 / 5 | |
| 0.33.36 | 14 / 5 | |
| 0.33.35 | 14 / 5 | |
| 0.33.34 | 14 / 5 | |
| 0.33.33 | 14 / 5 | |
| 0.33.32 | 14 / 5 |
v0.33.85
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.84
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.83
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.82
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.81
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.80
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.79
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.78
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.77
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-25, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.33.76
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.75
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.74
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.73
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.72
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.71
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.69
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.68
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.67
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.66
2 findingsPackage name '@stryke/fs' is 1 edit(s) away from popular package 'qs'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.65
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.38
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.36
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.