file-entry-cache
A lightweight cache for file metadata, ideal for processes that work on a specific set of files and only need to reprocess files that have changed since the last run
39
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
jaredwray
Keywords
file cachetask cache filesfile cachekey parkey valuecache
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Package migrated to a TypeScript build pipeline (tsup) in a monorepo; missing gitHead is consistent with a changed CI/CD publish flow, not a security concern for this package. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is explained by migration to TypeScript with tsup build pipeline producing CJS+ESM+type declaration outputs in dist/. This is a structural change, not an injected payload. | ai | |
| source-diff | obfuscated-file:dist/index.js | AI (source-diff): dist/index.js is standard tsup --minify build output. Code is readable file-cache logic with no malicious patterns. This package ships minified CJS+ESM bundles by design. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): jaredwray is the legitimate new steward of the cacheable ecosystem (github.com/jaredwray/cacheable). 48 approved packages, 929 days history, no rejections. Transition is documented in the repo. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): royriojas transferred stewardship to jaredwray for the cacheable monorepo. Legitimate transition. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from royriojas to jaredwray is a documented legitimate transfer to the cacheable monorepo maintainer. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): jaredwray is a well-established npm publisher with a clean track record, taking over the cacheable ecosystem packages. | ai | |
| source-diff | obfuscated-file:dist/index.cjs | AI (source-diff): dist/index.cjs is standard tsup --minify build output. Code is readable file-cache logic with no malicious patterns. This package ships minified CJS+ESM bundles by design. | ai | |
| dependencies | unvetted-dep:flat-cache | AI (dependencies): flat-cache is a well-known caching library maintained by the same author (jaredwray) in the same cacheable monorepo; it is a legitimate and expected dependency for this package. | ai | |
| provenance | no-provenance | AI (provenance): Absence of Sigstore provenance is common (~88% of npm packages) and not a security concern for this package given its clean metadata and known repository. | ai |
Versions (showing 39 of 39)
| Version | Deps | Published |
|---|---|---|
| 11.1.5 | 1 / 3 | |
| 11.1.3 | 1 / 3 | |
| 11.1.2 | 1 / 8 | |
| 11.1.1 | 1 / 8 | |
| 11.1.0 | 1 / 8 | |
| 11.0.0 | 1 / 8 | |
| 10.1.4 | 1 / 7 | |
| 10.1.3 | 1 / 7 | |
| 10.1.1 | 1 / 7 | |
| 10.1.0 | 1 / 7 | |
| 10.0.8 | 1 / 7 | |
| 10.0.7 | 1 / 7 | |
| 10.0.6 | 1 / 7 | |
| 10.0.5 | 1 / 7 | |
| 10.0.4 | 1 / 7 | |
| 10.0.3 | 1 / 7 | |
| 10.0.2 | 1 / 7 | |
| 10.0.1 | 1 / 7 | |
| 10.0.0 | 1 / 7 | |
| 9.1.0 | 1 / 8 | |
| 9.0.0 | 1 / 8 | |
| 8.0.0 | 1 / 11 | |
| 7.0.2 | 1 / 10 | |
| 7.0.1 | 1 / 11 | |
| 7.0.0 | 1 / 11 | |
| 6.0.1 | 1 / 15 | |
| 6.0.0 | 1 / 15 | |
| 5.0.1 | 1 / 16 | |
| 5.0.0 | 1 / 16 | |
| 4.0.0 | 1 / 16 | |
| 2.0.0 | 2 / 16 | |
| 1.3.1 | 2 / 16 | |
| 1.3.0 | 2 / 16 | |
| 1.2.4 | 2 / 17 | |
| 1.2.3 | 2 / 17 | |
| 1.2.0 | 2 / 17 | |
| 1.1.1 | 2 / 12 | |
| 1.0.1 | 2 / 12 | |
| 1.0.0 | 2 / 12 |
v11.1.5
2 findings
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
INFO
Publisher changed: jaredwray → GitHub Actions (on 2026-06-27)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2026-06-27. This could indicate a legitimate maintainer transition or an account compromise.
v11.1.3
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.