autoevals
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:preinstall | AI (install-scripts): pnpm-only enforcement guard; no side effects beyond checking user agent and exiting. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get in bundled output for property access; standard JS pattern, not obfuscation. | ai | |
| provenance | no-provenance | AI (provenance): Consistent across all 123 versions; no provenance is the norm for this publisher. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used in numeric transform helper to compile user-supplied math expressions; not a code-injection risk in this context. | ai | |
| phantom-deps | phantom-dep:linear-sum-assignment | AI (phantom-deps): Declared runtime dep used internally; phantom-dep heuristic fires because it's not directly imported at top level. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 0.3.0 | 8 / 13 | |
| 0.0.132 | 9 / 12 | |
| 0.0.131 | 9 / 12 | |
| 0.0.130 | 9 / 12 | |
| 0.0.129 | 10 / 12 |
v0.3.0
3 findingsScript: node -e "const userAgent = process.env.npm_config_user_agent || ''; if (process.env.INIT_CWD === process.cwd() && !userAgent.includes('pnpm/')) { console.error('Use pnpm in this repo.'); process.exit(1); }"
This version was published by a different npm account than previous versions on 2026-06-09. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.132
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.