@zipbul/baker — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

parkrevil

Keywords

aotbunclass-transformerclass-validatorclass-validator-alternativecode-generationdecoratordeserializedtofast-validationruntime-validationschema-validationserializetransformtransformertype-safetypescriptvalidationvalidatorzod-alternative

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/index-gcptd79v.js	AI (source-diff): Bun bundler output (// @bun header, readable minified ESM); not obfuscated, stable pattern for this package.	ai	2026/05/29
source-diff	obfuscated-file:dist/index-3gcf6hkv.js	AI (source-diff): Bun bundler output (// @bun header); minified ESM split chunk, not obfuscated malware.	ai	2026/05/25
source-diff	obfuscated-file:dist/index-wy5sh2nx.js	AI (source-diff): Bun bundler output (// @bun header); minified ESM split chunk, not obfuscated malware.	ai	2026/05/25
source-diff	obfuscated-file:dist/index-jzjz61tg.js	AI (source-diff): Standard Bun bundler output with linked sourcemap; not obfuscated, just minified ESM.	ai	2026/05/20
provenance	publisher-changed	AI (provenance): Transition from personal account to GitHub Actions CI/CD is expected and backed by SLSA provenance attestation.	ai	2026/05/20

Versions (showing 16 of 16)

Version	Deps	Published
3.4.0	1 / 21	2026-06-02
3.3.1	1 / 21	2026-05-28
3.3.0	1 / 21	2026-05-27
3.2.0	1 / 21	2026-05-27
3.1.0	1 / 21	2026-05-27
3.0.1	1 / 21	2026-05-25
3.0.0	1 / 21	2026-05-25
2.2.0	1 / 16	2026-04-06
2.1.0	1 / 16	2026-03-31
2.0.0	1 / 14	2026-03-30
1.1.0	1 / 5	2026-03-16
1.0.0	1 / 5	2026-03-16
0.1.2	1 / 5	2026-03-04
0.1.1	1 / 5	2026-03-03
0.1.0	1 / 5	2026-03-03
0.0.1	1 / 5	2026-02-23

v3.4.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.3.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.0

3 findings

HIGH Publisher changed: parkrevil → GitHub Actions (on 2026-03-16) provenance

This version was published by a different npm account than previous versions on 2026-03-16. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/index-gcptd79v.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.0

2 findings

HIGH Publisher changed: parkrevil → GitHub Actions (on 2026-03-16) provenance

This version was published by a different npm account than previous versions on 2026-03-16. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.2

4 findings

HIGH Publisher changed: parkrevil → GitHub Actions (on 2026-03-04) provenance

This version was published by a different npm account than previous versions on 2026-03-04. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/index-3gcf6hkv.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index-wy5sh2nx.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.1

3 findings

HIGH Publisher changed: parkrevil → GitHub Actions (on 2026-03-03) provenance

This version was published by a different npm account than previous versions on 2026-03-03. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/index-jzjz61tg.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.0

3 findings

HIGH Publisher changed: parkrevil → GitHub Actions (on 2026-03-03) provenance

This version was published by a different npm account than previous versions on 2026-03-03. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/index-jzjz61tg.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.