@whook/dev — Greenflagged

Whook development dependencies.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

nfroidure

Keywords

whookknifecycleRESTHTTPOpenAPIwebservicehandlerserverframework

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:ts-morph	AI (phantom-deps): ts-morph is a build/config dependency; correctly declared and used in metapak/build context.	ai	2026/04/30
dependencies	unvetted-dep:knifecycle	AI (dependencies): Core dependency of the whook ecosystem maintained by the same author.	ai	2026/04/29
dependencies	unvetted-dep:@whook/whook	AI (dependencies): Same monorepo package; stable ecosystem dependency.	ai	2026/04/29
dependencies	unvetted-dep:common-services	AI (dependencies): Established companion package by same author.	ai	2026/04/29
typosquat	typosquat.levenshtein:ajv	AI (typosquat): Scoped @whook/dev package; Levenshtein match to 'ajv' is a false positive with no real similarity.	ai	2026/04/29
dependencies	unvetted-dep:ya-open-api-types	AI (dependencies): OpenAPI types package in the same ecosystem; no risk signals.	ai	2026/04/29
dependencies	unvetted-dep:esbuild-node-externals	AI (dependencies): Popular esbuild utility plugin; well-known in the ecosystem.	ai	2026/04/29
dependencies	unvetted-dep:schema2dts	AI (dependencies): Known utility by same author; no risk signals.	ai	2026/04/29