@zero-transfer/sftp MIT 6 versions

@zero-transfer/sftp

npm Repository Homepage

SFTP with SSH key auth, known_hosts, and jump-host support.

6

Versions

MIT

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

molex222

Keywords

zero-transfersftpsftpssh

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/index.d.mts	AI (source-diff): Long lines in .d.mts are bundled TypeScript type declarations, not obfuscated code. Sample confirms clean, commented interfaces.	ai	2026/05/27
source-diff	source-size-tripled	AI (source-diff): Size increase is from bundling ssh2 type declarations and source maps into the dist output, not injected payloads.	ai	2026/05/27
publish-pattern	new-deps-added	AI (publish-pattern): ssh2 is the canonical SSH/SFTP library for Node.js; expected dependency for an SFTP package.	ai	2026/05/27

Versions (showing 6 of 6)

Version	Deps	Published
0.1.6	1 / 0	2026-04-29
0.1.5	1 / 0	2026-04-29
0.1.4	0 / 0	2026-04-29
0.1.3	0 / 0	2026-04-29
0.1.2	0 / 0	2026-04-29
0.1.1	0 / 0	2026-04-29

v0.1.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.5

2 findings

HIGH New obfuscated file: dist/index.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.