@upstash/redis
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:chunk-2X4SLXT7.mjs | AI (source-diff): Bundled build artifact for HTTP-based Redis client; network+exec is core functionality. | ai | |
| source-diff | net-exec-file:zmscore-BshEAkn7.d.ts | AI (source-diff): Type declaration file; no executable code. False positive. | ai | |
| source-diff | net-exec-file:chunk-AIBLSL5D.mjs | AI (source-diff): Bundled Redis HTTP client; network+exec is core functionality. | ai | |
| source-diff | net-exec-file:zmscore-BshEAkn7.d.mts | AI (source-diff): Type declaration file; no executable code. False positive. | ai | |
| source-diff | obfuscated-file:zmscore-BshEAkn7.d.ts | AI (source-diff): Bundled TypeScript declaration file with long type-union lines; not obfuscation. | ai | |
| source-diff | obfuscated-file:zmscore-BshEAkn7.d.mts | AI (source-diff): Bundled TypeScript declaration file with long type-union lines; not obfuscation. | ai | |
| source-diff | net-exec-file:chunk-JXBYIALB.mjs | AI (source-diff): Bundled Redis client source; network calls are core functionality. | ai | |
| source-diff | net-exec-file:chunk-CXQK4IKU.mjs | AI (source-diff): Bundled SDK entry point with HTTP client logic; expected for a Redis HTTP client. | ai | |
| source-diff | net-exec-file:zmscore-DzNHSWxc.d.ts | AI (source-diff): Type declarations only; no executable code. | ai | |
| source-diff | net-exec-file:chunk-QZ3IMTW7.mjs | AI (source-diff): Bundled Redis client code; network calls are the product's core function. | ai | |
| source-diff | net-exec-file:zmscore-DzNHSWxc.d.mts | AI (source-diff): Type declarations only; no executable code. | ai | |
| source-diff | obfuscated-file:zmscore-DzNHSWxc.d.ts | AI (source-diff): TypeScript declaration file with long type-union lines, not obfuscation. | ai | |
| source-diff | obfuscated-file:zmscore-DzNHSWxc.d.mts | AI (source-diff): TypeScript declaration file with long type-union lines, not obfuscation. | ai | |
| source-diff | net-exec-file:zmscore-Cq_Bzgy4.d.ts | AI (source-diff): Type declarations only; no executable code. | ai | |
| source-diff | net-exec-file:zmscore-Cq_Bzgy4.d.mts | AI (source-diff): Type declarations only; no executable code. | ai | |
| source-diff | obfuscated-file:zmscore-Cq_Bzgy4.d.ts | AI (source-diff): TypeScript declaration bundle with long type-union lines; not obfuscated. | ai | |
| source-diff | obfuscated-file:zmscore-Cq_Bzgy4.d.mts | AI (source-diff): TypeScript declaration bundle with long type-union lines; not obfuscated. | ai | |
| source-diff | net-exec-file:chunk-TAJI6TAE.mjs | AI (source-diff): Bundled SDK module with HTTP client logic; expected for a Redis HTTP client. | ai | |
| source-diff | net-exec-file:chunk-XJQAWEWD.mjs | AI (source-diff): Standard bundled Redis client code; network calls are the product's purpose. | ai | |
| source-diff | obfuscated-file:zmscore-DWj9Vh1g.d.mts | AI (source-diff): TypeScript declaration file with long type-union lines; not obfuscated code. | ai | |
| source-diff | obfuscated-file:zmscore-DWj9Vh1g.d.ts | AI (source-diff): TypeScript declaration file with long type-union lines; not obfuscated code. | ai | |
| source-diff | net-exec-file:zmscore-DWj9Vh1g.d.mts | AI (source-diff): Type declaration file; no executable code. | ai | |
| source-diff | net-exec-file:zmscore-DWj9Vh1g.d.ts | AI (source-diff): Type declaration file; no executable code. | ai | |
| source-diff | obfuscated-file:zmscore-CgRD7oFR.d.mts | AI (source-diff): TypeScript .d.mts declaration file with long type lines, not obfuscation. | ai | |
| source-diff | net-exec-file:chunk-2BA3VA6P.mjs | AI (source-diff): Bundled Redis client with fetch calls; expected for this HTTP-based Redis SDK. | ai | |
| source-diff | net-exec-file:zmscore-CgRD7oFR.d.ts | AI (source-diff): Type declaration file; no executable code. | ai | |
| source-diff | net-exec-file:zmscore-CgRD7oFR.d.mts | AI (source-diff): Type declaration file; no executable code. | ai | |
| source-diff | obfuscated-file:zmscore-CgRD7oFR.d.ts | AI (source-diff): TypeScript .d.ts declaration file with long type lines, not obfuscation. | ai | |
| source-diff | obfuscated-file:zmscore-Dq2s28SC.d.ts | AI (source-diff): Bundled TypeScript declaration file with long type definition lines; not obfuscated. .d.ts files are inert type declarations. | ai | |
| source-diff | net-exec-file:chunk-MBZJLX7T.mjs | AI (source-diff): Bundled Redis client code; network calls + dynamic patterns are inherent to an HTTP-based Redis client built with tsup. | ai | |
| source-diff | net-exec-file:zmscore-Dq2s28SC.d.ts | AI (source-diff): TypeScript declaration file (.d.ts) — cannot execute code. False positive from type signatures mentioning network-related types. | ai | |
| source-diff | net-exec-file:zmscore-Dq2s28SC.d.mts | AI (source-diff): TypeScript declaration file (.d.mts) — cannot execute code. False positive from type signatures mentioning network-related types. | ai | |
| source-diff | obfuscated-file:zmscore-Dq2s28SC.d.mts | AI (source-diff): Bundled TypeScript declaration file with long type definition lines; not obfuscated. .d.mts files are inert type declarations. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): The base64 decode is a standard atob() polyfill for Node.js environments. No malicious payload; this is a well-known compatibility pattern stable across versions. | ai | |
| typosquat | typosquat.levenshtein:redux | AI (typosquat): @upstash/redis is a legitimate, scoped Upstash package with 1646 days of history and 2.3M weekly downloads. Levenshtein match to 'redux' is a false positive with no brand or purpose overlap. | ai |
Versions (showing 17 of 17)
| Version | Deps | Published |
|---|---|---|
| 1.38.0 | 1 / 3 | |
| 1.37.0 | 1 / 3 | |
| 1.36.4 | 1 / 12 | |
| 1.36.3 | 1 / 12 | |
| 1.36.2 | 1 / 12 | |
| 1.36.1 | 1 / 12 | |
| 1.36.0 | 1 / 12 | |
| 1.35.8 | 1 / 12 | |
| 1.35.7 | 1 / 12 | |
| 1.35.6 | 1 / 12 | |
| 1.35.5 | 1 / 12 | |
| 1.35.4 | 1 / 12 | |
| 1.35.3 | 1 / 12 | |
| 1.35.2 | 1 / 12 | |
| 1.35.1 | 1 / 12 | |
| 1.35.0 | 1 / 12 | |
| 1.34.9 | 1 / 13 |
v1.38.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.37.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.36.4
7 findingsThis version was published by a different npm account than previous versions on 2026-03-09. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.36.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.36.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.36.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.36.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.35.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.35.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.35.6
6 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.35.5
6 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.35.4
6 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.35.3
6 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.35.2
6 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.35.1
6 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.35.0
6 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.34.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.