← Home

file-entry-cache

A lightweight cache for file metadata, ideal for processes that work on a specific set of files and only need to reprocess files that have changed since the last run

39
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

jaredwray

Keywords

file cachetask cache filesfile cachekey parkey valuecache

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance missing-githead AI (provenance): Package migrated to a TypeScript build pipeline (tsup) in a monorepo; missing gitHead is consistent with a changed CI/CD publish flow, not a security concern for this package. ai
source-diff source-size-tripled AI (source-diff): Size increase is explained by migration to TypeScript with tsup build pipeline producing CJS+ESM+type declaration outputs in dist/. This is a structural change, not an injected payload. ai
source-diff obfuscated-file:dist/index.js AI (source-diff): dist/index.js is standard tsup --minify build output. Code is readable file-cache logic with no malicious patterns. This package ships minified CJS+ESM bundles by design. ai
maintainer-change maintainer-takeover AI (maintainer-change): jaredwray is the legitimate new steward of the cacheable ecosystem (github.com/jaredwray/cacheable). 48 approved packages, 929 days history, no rejections. Transition is documented in the repo. ai
maintainer-change maintainer-removed AI (maintainer-change): royriojas transferred stewardship to jaredwray for the cacheable monorepo. Legitimate transition. ai
provenance publisher-changed AI (provenance): Publisher change from royriojas to jaredwray is a documented legitimate transfer to the cacheable monorepo maintainer. ai
maintainer-change maintainer-added AI (maintainer-change): jaredwray is a well-established npm publisher with a clean track record, taking over the cacheable ecosystem packages. ai
source-diff obfuscated-file:dist/index.cjs AI (source-diff): dist/index.cjs is standard tsup --minify build output. Code is readable file-cache logic with no malicious patterns. This package ships minified CJS+ESM bundles by design. ai
dependencies unvetted-dep:flat-cache AI (dependencies): flat-cache is a well-known caching library maintained by the same author (jaredwray) in the same cacheable monorepo; it is a legitimate and expected dependency for this package. ai
provenance no-provenance AI (provenance): Absence of Sigstore provenance is common (~88% of npm packages) and not a security concern for this package given its clean metadata and known repository. ai

Versions (showing 39 of 39)

Version Deps Published
11.1.5 1 / 3
11.1.3 1 / 3
11.1.2 1 / 8
11.1.1 1 / 8
11.1.0 1 / 8
11.0.0 1 / 8
10.1.4 1 / 7
10.1.3 1 / 7
10.1.1 1 / 7
10.1.0 1 / 7
10.0.8 1 / 7
10.0.7 1 / 7
10.0.6 1 / 7
10.0.5 1 / 7
10.0.4 1 / 7
10.0.3 1 / 7
10.0.2 1 / 7
10.0.1 1 / 7
10.0.0 1 / 7
9.1.0 1 / 8
9.0.0 1 / 8
8.0.0 1 / 11
7.0.2 1 / 10
7.0.1 1 / 11
7.0.0 1 / 11
6.0.1 1 / 15
6.0.0 1 / 15
5.0.1 1 / 16
5.0.0 1 / 16
4.0.0 1 / 16
2.0.0 2 / 16
1.3.1 2 / 16
1.3.0 2 / 16
1.2.4 2 / 17
1.2.3 2 / 17
1.2.0 2 / 17
1.1.1 2 / 12
1.0.1 2 / 12
1.0.0 2 / 12

v11.1.5

2 findings
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: jaredwray → GitHub Actions (on 2026-06-27) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-06-27. This could indicate a legitimate maintainer transition or an account compromise.

v11.1.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.