discord-protos @1.2.117
A parser for Discord's protobufs
Maintainers
Dependencies (1)
| Package | Constraint | Registry Status |
|---|---|---|
| @protobuf-ts/runtime | ^2.11.1 | auto_approved |
Dev Dependencies (4)
| Package | Constraint | Registry Status |
|---|---|---|
| puppeteer | ^24.37.5 | auto_approved |
| typescript | ^5.9.3 | auto_approved |
| @protobuf-ts/plugin | ^2.11.1 | pending |
| @protobuf-ts/protoc | ^2.11.1 | auto_approved |
Transitive Dependency Tree
Risk Dispositions (2 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
regressed-provenance |
provenance | reject | AI | AI (provenance): Loss of provenance attestation after a history of CI/CD-attested publishes is a strong supply-chain compromise signal; this judgment generalizes until attestations are restored. | |
publisher-changed |
provenance | reject | AI | AI (provenance): Publisher change combined with lost provenance and dormancy is a high-risk pattern; should be re-evaluated only after the transition is verified and provenance restored. |
SAST Findings (3)
This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: dolfies.
This version was published by a different npm account than previous versions on 2026-02-28. This could indicate a legitimate maintainer transition or an account compromise.
Review Summary
Risk score: 88. Findings: 3 high (+75), 1 medium (+10), 1 low (+3).
Published to npm: