customerio-node — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

beardfurykevinkucharczykami-ci

Keywords

customerionode

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Package now publishes via GitHub Actions CI with SLSA attestation; this is the expected pattern for org-managed packages.	ai	2026/05/30
maintainer-change	maintainer-added	AI (maintainer-change): Maintainer change aligns with org-level transition to CI-based publishing; no malicious indicators.	ai	2026/05/30
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of prior maintainers consistent with org restructuring; no code changes or suspicious artifacts.	ai	2026/05/30
email-domain	unclaimed-email:enlist.io	AI (email-domain): Package is the official Customer.io Node SDK with 10yr history; enlist.io may be defunct but org ownership is clear via GitHub.	ai	2026/05/01

Versions (showing 5 of 5)

Version	Deps	Published
4.5.1	0 / 10	2026-05-20
4.5.0	0 / 10	2026-05-15
4.4.0	0 / 10	2026-04-28
4.3.0	0 / 10	2026-02-19
4.2.0	0 / 10	2025-06-13

v4.5.1

2 findings

HIGH Publisher changed: ami-ci → GitHub Actions (on 2026-05-20) provenance

This version was published by a different npm account than previous versions on 2026-05-20. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.5.0

2 findings

HIGH Publisher changed: ami-ci → GitHub Actions (on 2026-05-15) provenance

This version was published by a different npm account than previous versions on 2026-05-15. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.4.0

2 findings

HIGH Unclaimed maintainer email domain: enlist.io email-domain

Maintainer email '[email protected]' uses domain 'enlist.io' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.