← Home

as-procedure

npm Repository Homepage
7
Versions
License
Yes
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

uladkasach

Keywords

procedurepit-of-success

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:test-fns AI (phantom-deps): test-fns is a runtime dep per package.json; phantom-dep heuristic is a false positive here. ai
provenance publisher-changed AI (provenance): Transition to GitHub Actions CI publisher with SLSA attestation is intentional automation; consistent with ehmpathy org practices. ai
publish-pattern new-deps-added AI (publish-pattern): helpful-errors is a small established utility from the same author ecosystem; low risk. ai
phantom-deps phantom-dep:simple-log-methods AI (phantom-deps): Listed in package.json 'forwarded' field as a re-exported peer dep; not a true phantom dependency. ai
phantom-deps phantom-dep:domain-glossary-procedure AI (phantom-deps): Listed in package.json 'forwarded' field as a re-exported peer dep; not a true phantom dependency. ai
install-scripts install-script:postinstall AI (install-scripts): Standard husky git-hooks setup; only runs when .git dir exists, safe for downstream consumers. ai

Versions (showing 7 of 7)

Version Deps Published
1.1.12 5 / 29
1.1.11 5 / 28
1.1.10 9 / 21
1.1.9 6 / 23
1.1.8 6 / 23
1.1.7 6 / 23
1.1.0 6 / 23

v1.1.12

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.11

2 findings
HIGH Publisher changed: uladkasach → GitHub Actions (on 2026-01-05) provenance

This version was published by a different npm account than previous versions on 2026-01-05. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.10

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.7

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: [ -d .git ] && npm run prepare:husky || exit 0

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.