fhirpath
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | url-dep:benny | AI (npm-metadata): benny is a devDependency benchmark tool; SHA-pinned commit is a dev workflow artifact, not a runtime supply-chain risk. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Rebuilds benny devDep from a pinned git commit to fix a known issue; documented, benign, stable pattern for this package. | ai | |
| install-scripts | install-script:preinstall | AI (install-scripts): Preinstall runs bin/install-demo.js, a demo-setup helper documented in the HL7 fhirpath.js repo; stable pattern for this package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used only in demo install helper, not in runtime library code; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:js-yaml | AI (phantom-deps): js-yaml is a declared runtime dep used in config/CLI tooling; phantom-dep heuristic misfires here. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): commander is used in the CLI bin entry; phantom-dep heuristic misfires here. | ai |
Versions (showing 16 of 16)
| Version | Deps | Published |
|---|---|---|
| 4.10.1 | 7 / 27 | |
| 4.10.0 | 7 / 27 | |
| 4.9.3 | 7 / 27 | |
| 4.9.1 | 7 / 26 | |
| 4.8.5 | 6 / 27 | |
| 4.8.4 | 6 / 27 | |
| 4.8.3 | 6 / 27 | |
| 4.8.1 | 6 / 26 | |
| 4.8.0 | 6 / 26 | |
| 4.7.0 | 6 / 26 | |
| 4.6.1 | 6 / 26 | |
| 4.6.0 | 6 / 26 | |
| 4.5.0 | 6 / 26 | |
| 4.4.1 | 5 / 26 | |
| 4.3.0 | 5 / 26 | |
| 4.2.1 | 5 / 26 |
v4.10.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.10.0
2 findingsScript: node bin/install-demo.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.9.3
2 findingsScript: node bin/install-demo.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.9.1
2 findingsScript: echo "Building the Benny package based on a pull request which fixes an issue with 'statusShift'... " && (cd node_modules/benny && npm i && npm run build > /dev/null) || echo "Building the Benny package is completed."
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.8.5
2 findingsScript: echo "Building the Benny package based on a pull request which fixes an issue with 'statusShift'... " && (cd node_modules/benny && npm i && npm run build > /dev/null) || echo "Building the Benny package is completed."
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.8.4
2 findingsScript: echo "Building the Benny package based on a pull request which fixes an issue with 'statusShift'... " && (cd node_modules/benny && npm i && npm run build > /dev/null) || echo "Building the Benny package is completed."
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.8.3
2 findingsScript: echo "Building the Benny package based on a pull request which fixes an issue with 'statusShift'... " && (cd node_modules/benny && npm i && npm run build > /dev/null) || echo "Building the Benny package is completed."
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.8.1
2 findingsScript: echo "Building the Benny package based on a pull request which fixes an issue with 'statusShift'... " && (cd node_modules/benny && npm i && npm run build > /dev/null) || echo "Building the Benny package is completed."
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.8.0
2 findingsScript: echo "Building the Benny package based on a pull request which fixes an issue with 'statusShift'... " && (cd node_modules/benny && npm i && npm run build > /dev/null) || echo "Building the Benny package is completed."
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.7.0
2 findingsScript: echo "Building the Benny package based on a pull request which fixes an issue with 'statusShift'... " && (cd node_modules/benny && npm i && npm run build > /dev/null) || echo "Building the Benny package is completed."
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.1
2 findingsScript: echo "Building the Benny package based on a pull request which fixes an issue with 'statusShift'... " && (cd node_modules/benny && npm i && npm run build > /dev/null) || echo "Building the Benny package is completed."
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.0
2 findingsDependency 'benny' in `devDependencies` points to 'github:caderek/benny#0ad058d3c7ef0b488a8fe9ae3519159fc7f36bb6' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.5.0
2 findingsDependency 'benny' in `devDependencies` points to 'github:caderek/benny#0ad058d3c7ef0b488a8fe9ae3519159fc7f36bb6' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.4.1
2 findingsDependency 'benny' in `devDependencies` points to 'github:caderek/benny#0ad058d3c7ef0b488a8fe9ae3519159fc7f36bb6' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.0
2 findingsDependency 'benny' in `devDependencies` points to 'github:caderek/benny#0ad058d3c7ef0b488a8fe9ae3519159fc7f36bb6' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.2.1
2 findingsDependency 'benny' in `devDependencies` points to 'github:caderek/benny#0ad058d3c7ef0b488a8fe9ae3519159fc7f36bb6' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.