@tryghost/mg-wp-api
Export content using the WordPress JSON API, and generate a `zip` file you can import into a Ghost installation.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Ghost Foundation migrated to GitHub Actions CI publishing; SLSA attestation confirms supply chain integrity. | ai | |
| provenance | missing-githead | AI (provenance): Consistent with GitHub Actions CI publish flow for this org; SLSA provenance attestation compensates. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): lodash is a well-established utility library with no malicious indicators; addition is benign. | ai | |
| phantom-deps | phantom-dep:@tryghost/errors | AI (phantom-deps): Same-org scoped dependency; declared in package.json and used internally. | ai | |
| dependencies | unvetted-dep:wpapi | AI (dependencies): Known WP API client; stable dependency for this Ghost migration tool. | ai | |
| dependencies | unvetted-dep:@tryghost/mg-webscraper | AI (dependencies): First-party Ghost migration utility; stable across versions. | ai | |
| dependencies | unvetted-dep:simple-dom | AI (dependencies): Well-known DOM utility; no risk signal for this package. | ai | |
| dependencies | unvetted-dep:@tryghost/debug | AI (dependencies): First-party Ghost Foundation package; stable across versions. | ai | |
| dependencies | unvetted-dep:@tryghost/mg-fs-utils | AI (dependencies): First-party Ghost migration utility; stable across versions. | ai |
Versions (showing 29 of 29)
| Version | Deps | Published |
|---|---|---|
| 0.22.0 | 10 / 1 | |
| 0.21.0 | 11 / 1 | |
| 0.20.3 | 11 / 1 | |
| 0.20.2 | 11 / 1 | |
| 0.20.1 | 12 / 1 | |
| 0.20.0 | 12 / 1 | |
| 0.19.0 | 12 / 1 | |
| 0.18.0 | 13 / 1 | |
| 0.17.0 | 13 / 1 | |
| 0.16.0 | 13 / 1 | |
| 0.15.0 | 12 / 1 | |
| 0.14.0 | 12 / 1 | |
| 0.13.0 | 12 / 1 | |
| 0.12.2 | 12 / 1 | |
| 0.12.1 | 12 / 1 | |
| 0.12.0 | 12 / 1 | |
| 0.11.20 | 12 / 3 | |
| 0.11.19 | 12 / 3 | |
| 0.11.18 | 12 / 3 | |
| 0.11.17 | 12 / 3 | |
| 0.11.16 | 12 / 3 | |
| 0.11.15 | 12 / 3 | |
| 0.11.14 | 12 / 3 | |
| 0.11.13 | 12 / 3 | |
| 0.11.12 | 12 / 3 | |
| 0.11.11 | 12 / 3 | |
| 0.11.10 | 12 / 3 | |
| 0.11.9 | 12 / 3 | |
| 0.11.8 | 12 / 3 |
v0.22.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.21.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-28. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-24. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-20. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.19.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-16. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.18.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.17.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-06. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.16.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-05. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.15.0
2 findingsThis version was published by a different npm account than previous versions on 2026-04-04. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.