← Home

degit

Straightforward project scaffolding

21
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

rich_harrisyoglib

Keywords

gitscaffoldingtemplate

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/src-DY0m71aH.js AI (source-diff): Minified tsdown/rollup build output, not obfuscation; stable for this bundled package. ai
source-diff obfuscated-file:dist/src-DwvgxSD3.js AI (source-diff): Minified bundle output. ai
source-diff net-exec-file:dist/git-client-DCnd9iHG.js AI (source-diff): execFile(git) + https for repo fetch is the package's stated scaffolding function. ai
source-diff obfuscated-file:dist/git-client-DCnd9iHG.js AI (source-diff): tsdown/rollup minified build output, not obfuscation; regenerated per release. ai
source-diff obfuscated-file:dist/src-E-qk4TCn.js AI (source-diff): Minified bundle output; benign. ai
source-diff obfuscated-file:dist/utils-Cv0knjp1.js AI (source-diff): Minified bundle output; benign. ai
source-diff obfuscated-file:dist/src-inRH1O2P.js AI (source-diff): Bundled minified build output. ai
source-diff obfuscated-file:dist/git-client-BgCkEK6k.js AI (source-diff): Minified tsdown/rollup bundle output, not obfuscation; stable for this build pipeline. ai
source-diff net-exec-file:dist/git-client-BgCkEK6k.js AI (source-diff): child_process/https are degit's core git-clone function, not a dropper. ai
source-diff obfuscated-file:dist/src-DHhmd-fH.js AI (source-diff): Minified bundle output. ai
source-diff obfuscated-file:dist/utils-LfnDTRRE.js AI (source-diff): Minified bundle output. ai
source-diff obfuscated-file:dist/src-CFp2W7pC.js AI (source-diff): Minified bundle output from tsdown; not obfuscation. ai
source-diff net-exec-file:dist/git-client-C5msPBhZ.js AI (source-diff): execFile/spawn + https are degit's core git-clone behavior; benign. ai
source-diff obfuscated-file:dist/git-client-C5msPBhZ.js AI (source-diff): tsdown/rollup bundle output, not obfuscation; expected for this build tool. ai
source-diff obfuscated-file:dist/src-JEBmbL9p.js AI (source-diff): tsdown bundle output; minified, not obfuscated. ai
source-diff obfuscated-file:dist/git-client-LNHjOin4.js AI (source-diff): tsdown bundle output with clean import banner; minified, not obfuscated. ai
source-diff net-exec-file:dist/git-client-LNHjOin4.js AI (source-diff): execFile of git (https clone) is degit's core function; benign net+exec. ai
source-diff obfuscated-file:dist/utils-C1C05iAz.js AI (source-diff): tsdown bundle output; minified, not obfuscated. ai
provenance publisher-changed AI (provenance): Transition to CI/CD-attested publish for canonical degit; repo/author unchanged. ai
source-diff obfuscated-file:dist/src-DSovz3E6.js AI (source-diff): Minified tsdown bundle output, not obfuscation; expected for this package's build. ai
source-diff obfuscated-file:dist/src-EPt0Qw0q.js AI (source-diff): Minified tsdown build output, not obfuscation; benign for this build-tool package. ai
source-diff obfuscated-file:dist/client-D_Z5xiWr.js AI (source-diff): Minified tsdown bundle output, not obfuscation. ai
source-diff net-exec-file:dist/client-D_Z5xiWr.js AI (source-diff): https fetch + git exec is degit's core documented function. ai
source-diff obfuscated-file:dist/utils-wUrCivUe.js AI (source-diff): Minified tsdown bundle output, not obfuscation. ai
source-diff obfuscated-file:dist/src-BSwRaIkD.js AI (source-diff): Minified tsdown bundle output, not obfuscation. ai

Versions (showing 21 of 21)

Version Deps Published
3.6.0 0 / 22
3.5.1 0 / 22
3.5.0 0 / 22
3.4.7 0 / 21
3.4.6 0 / 21
3.4.5 0 / 21
3.4.4 0 / 22
3.4.2 0 / 23
3.4.1 0 / 23
3.4.0 0 / 23
3.3.2 0 / 22
3.3.1 0 / 22
3.3.0 0 / 22
3.2.0 0 / 23
3.1.2 0 / 23
3.1.1 0 / 23
3.1.0 0 / 23
3.0.0 0 / 23
2.8.6 0 / 23
2.8.5 0 / 23
2.8.4 0 / 22

v3.6.0

2 findings
HIGH New obfuscated file: dist/src-DSovz3E6.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.5.1

2 findings
HIGH New obfuscated file: dist/src-EPt0Qw0q.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.5.0

6 findings
HIGH New obfuscated file: dist/client-D_Z5xiWr.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/client-D_Z5xiWr.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/src-BSwRaIkD.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/utils-wUrCivUe.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: yoglib → GitHub Actions (on 2026-07-12, now via trusted publisher with provenance) provenance

This version was published by a different npm account (GitHub Actions) than the most recent previously approved version (yoglib) on 2026-07-12, but it carries Sigstore provenance attestation. This means the package moved to a trusted publisher (CI/CD with OIDC, e.g. GitHub Actions) — a supply-chain integrity improvement, not a compromise, since a stolen npm token cannot forge provenance bound to the source repository. Recorded as INFO for audit trail.

v3.4.7

6 findings
HIGH Publisher changed: yoglib → GitHub Actions (on 2026-06-11) provenance

This version was published by a different npm account than previous versions on 2026-06-11. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/git-client-C5msPBhZ.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/git-client-C5msPBhZ.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/src-DY0m71aH.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/utils-C1C05iAz.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.4.6

6 findings
HIGH Publisher changed: yoglib → GitHub Actions (on 2026-06-09) provenance

This version was published by a different npm account than previous versions on 2026-06-09. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/git-client-C5msPBhZ.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/git-client-C5msPBhZ.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/src-CFp2W7pC.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/utils-C1C05iAz.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.4.5

6 findings
HIGH Publisher changed: yoglib → GitHub Actions (on 2026-06-09) provenance

This version was published by a different npm account than previous versions on 2026-06-09. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/git-client-C5msPBhZ.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/git-client-C5msPBhZ.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/src-inRH1O2P.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/utils-C1C05iAz.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.4.4

6 findings
HIGH Publisher changed: yoglib → GitHub Actions (on 2026-06-08) provenance

This version was published by a different npm account than previous versions on 2026-06-08. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/git-client-LNHjOin4.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/git-client-LNHjOin4.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/src-JEBmbL9p.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/utils-C1C05iAz.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.4.2

6 findings
HIGH Publisher changed: yoglib → GitHub Actions (on 2026-06-04) provenance

This version was published by a different npm account than previous versions on 2026-06-04. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/git-client-BgCkEK6k.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/git-client-BgCkEK6k.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/src-DHhmd-fH.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/utils-LfnDTRRE.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.4.1

6 findings
HIGH Publisher changed: yoglib → GitHub Actions (on 2026-06-04) provenance

This version was published by a different npm account than previous versions on 2026-06-04. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/git-client-BgCkEK6k.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/git-client-BgCkEK6k.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/src-DwvgxSD3.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/utils-LfnDTRRE.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.4.0

6 findings
HIGH Publisher changed: yoglib → GitHub Actions (on 2026-06-04) provenance

This version was published by a different npm account than previous versions on 2026-06-04. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/git-client-DCnd9iHG.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/git-client-DCnd9iHG.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/src-E-qk4TCn.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/utils-Cv0knjp1.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.3.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.2.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.0

2 findings
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: rich_harris → yoglib (on 2026-05-24, known maintainer) provenance

This version was published by a different npm account (yoglib) than the most recent previously approved version (rich_harris) on 2026-05-24, but yoglib is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.0.0

2 findings
HIGH Publisher changed: rich_harris → GitHub Actions (on 2026-05-21) provenance

This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.8.6

1 finding
HIGH Provenance attestation missing — previous versions had it provenance

This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.

v2.8.5

2 findings
HIGH Publisher changed: rich_harris → yoglib (on 2026-05-20) provenance

This version was published by a different npm account than previous versions on 2026-05-20. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.