lazy-js-utils
A collection of lazy-loaded JavaScript utilities for efficient development
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | suspicious-initial-version | AI (npm-metadata): Package is 1235 days old with 151 versions and a trusted publisher (simon_he, 186 approved packages). The 0.0.0 version is the legitimate initial release of this utility library, not a throwaway malicious package. | ai | |
| phantom-deps | phantom-dep:@vueuse/core | AI (phantom-deps): @vueuse/core is a declared runtime dependency for Vue-related utilities; phantom-dep finding is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:vue | AI (phantom-deps): vue is a declared runtime dependency for Vue-related utilities in this library; phantom-dep finding is a false positive for this package. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): simple-git-hooks is a well-known git hook setup tool in devDependencies; it's a no-op for end-users since devDeps aren't installed by consumers. Standard contributor tooling pattern. | ai | |
| install-scripts | install-script:preinstall | AI (install-scripts): npx only-allow pnpm is a standard package-manager enforcement pattern used widely in open-source projects; no arbitrary code execution risk. | ai | |
| source-diff | obfuscated-file:dist/index-B9wcVoez.d.ts | AI (source-diff): Bundled TypeScript declaration file (.d.ts) with long lines is a normal tsdown build artifact; content is clearly type declarations, not obfuscated executable code. | ai | |
| source-diff | obfuscated-file:dist/index-BHppThRy.d.cts | AI (source-diff): Bundled TypeScript declaration file (.d.cts) with long lines is a normal tsdown build artifact; content is clearly type declarations, not obfuscated executable code. | ai | |
| source-diff | obfuscated-file:dist/index.d-DzlIJePD.d.ts | AI (source-diff): This is a bundled TypeScript declaration file (.d.ts) generated by tsdown. Long lines are from concatenated type declarations, not obfuscation. Type declaration files cannot execute code. | ai | |
| source-diff | obfuscated-file:dist/index.d-CnYtmGhw.d.cts | AI (source-diff): This is a bundled TypeScript declaration file (.d.cts) generated by tsdown. Long lines are from concatenated type declarations, not obfuscation. Type declaration files cannot execute code. | ai | |
| source-diff | obfuscated-file:dist/index-gLr-538e.d.ts | AI (source-diff): TypeScript declaration file generated by tsdown bundler; long lines are a normal artifact of bundled .d.ts files, not obfuscation. Content is plaintext type declarations. | ai | |
| source-diff | obfuscated-file:dist/index-HrxfisxT.d.cts | AI (source-diff): TypeScript declaration file generated by tsdown bundler; long lines are a normal artifact of bundled .d.ts/.d.cts files, not obfuscation. Content is plaintext type declarations. | ai | |
| source-diff | obfuscated-file:dist/index.d.mts | AI (source-diff): dist/index.d.mts is a bundled TypeScript declaration file generated by tsup. Long lines are a standard artifact of type bundling, not obfuscation. Content is clearly readable TS type definitions. | ai | |
| source-diff | obfuscated-file:dist/index-DicMG3C0.d.ts | AI (source-diff): Bundled TypeScript declaration file (.d.ts) with long lines produced by tsdown; content is readable type definitions, not obfuscated code. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/index-BvHSKjWo.d.cts | AI (source-diff): Bundled TypeScript declaration file (.d.cts) with long lines produced by tsdown; content is readable type definitions, not obfuscated code. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/index-eRhxEWLj.d.cts | AI (source-diff): This is a bundled TypeScript declaration file produced by tsdown. Long lines are type declarations, not obfuscated code. False positive for this package's build output. | ai | |
| source-diff | obfuscated-file:dist/index-D97W5P9-.d.ts | AI (source-diff): This is a bundled TypeScript declaration file produced by tsdown. Long lines are type declarations, not obfuscated code. False positive for this package's build output. | ai | |
| source-diff | obfuscated-file:dist/index.d-ChBnYO3_.d.cts | AI (source-diff): TypeScript declaration file with long lines from bundled type exports; readable type definitions, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index.cjs | AI (source-diff): Bundler (tsdown/rollup) output with long lines from concatenated exports; code is readable and well-commented. Not actual obfuscation. | ai | |
| source-diff | net-exec-file:dist/index.cjs | AI (source-diff): Network calls are fetch wrapper utilities and dynamic import helpers — documented features of this JS utility library, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/index.d.cts | AI (source-diff): TypeScript declaration barrel file with long export list; standard bundler output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index.d-CKkEc0dg.d.ts | AI (source-diff): TypeScript declaration file with long lines from bundled type exports; readable type definitions, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index-DBlOdh8o.d.cts | AI (source-diff): TypeScript declaration file generated by tsdown bundler; long lines are a known artifact of rolled-up .d.ts output, not obfuscation. Content is clearly legitimate type declarations. | ai | |
| source-diff | obfuscated-file:dist/index-CnsRMQ77.d.ts | AI (source-diff): TypeScript declaration file generated by tsdown bundler; long lines are a known artifact of rolled-up .d.ts output, not obfuscation. Content is clearly legitimate type declarations. | ai | |
| phantom-deps | phantom-dep:lazy-js-utils | AI (phantom-deps): Package lists itself as a dependency — unusual but a config artifact, not a security concern. Stable pattern for this package. | ai | |
| provenance | missing-githead | AI (provenance): Removal of prepublishOnly script explains missing gitHead; publisher has 174 approved packages and strong track record. Not a malicious signal. | ai | |
| provenance | no-provenance | AI (provenance): Established package with 151 versions and trusted publisher; lack of Sigstore provenance is a workflow gap, not a security risk for this package. | ai | |
| source-diff | obfuscated-file:dist/index-Cku5GB6P.d.cts | AI (source-diff): Bundled TypeScript declaration file (.d.cts) generated by tsdown; long lines are concatenated type declarations, not obfuscation. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/index-Bx_oy_c5.d.ts | AI (source-diff): Bundled TypeScript declaration file (.d.ts) generated by tsdown; long lines are concatenated type declarations, not obfuscation. Stable false positive for this package. | ai |
Versions (showing 51 of 151)
| Version | Deps | Published |
|---|---|---|
| 0.0.50 | 4 / 16 | |
| 0.0.49 | 4 / 16 | |
| 0.0.48 | 4 / 16 | |
| 0.0.47 | 4 / 16 | |
| 0.0.46 | 4 / 16 | |
| 0.0.45 | 4 / 16 | |
| 0.0.44 | 4 / 16 | |
| 0.0.43 | 4 / 16 | |
| 0.0.42 | 4 / 16 | |
| 0.0.41 | 4 / 16 | |
| 0.0.40 | 4 / 17 | |
| 0.0.39 | 4 / 16 | |
| 0.0.38 | 3 / 17 | |
| 0.0.37 | 0 / 22 | |
| 0.0.36 | 6 / 18 | |
| 0.0.35 | 6 / 18 | |
| 0.0.34 | 6 / 18 | |
| 0.0.33 | 6 / 18 | |
| 0.0.32 | 6 / 18 | |
| 0.0.31 | 6 / 18 | |
| 0.0.30 | 6 / 18 | |
| 0.0.29 | 6 / 18 | |
| 0.0.28 | 6 / 18 | |
| 0.0.27 | 6 / 18 | |
| 0.0.26 | 6 / 17 | |
| 0.0.25 | 6 / 17 | |
| 0.0.24 | 6 / 17 | |
| 0.0.23 | 6 / 17 | |
| 0.0.22 | 6 / 17 | |
| 0.0.21 | 6 / 17 | |
| 0.0.20 | 6 / 17 | |
| 0.0.19 | 6 / 16 | |
| 0.0.18 | 6 / 16 | |
| 0.0.17 | 6 / 16 | |
| 0.0.16 | 6 / 16 | |
| 0.0.15 | 6 / 16 | |
| 0.0.14 | 5 / 17 | |
| 0.0.13 | 6 / 17 | |
| 0.0.12 | 5 / 18 | |
| 0.0.11 | 6 / 17 | |
| 0.0.10 | 5 / 17 | |
| 0.0.9 | 5 / 17 | |
| 0.0.8 | 5 / 17 | |
| 0.0.7 | 5 / 16 | |
| 0.0.6 | 5 / 16 | |
| 0.0.5 | 5 / 16 | |
| 0.0.4 | 5 / 16 | |
| 0.0.3 | 6 / 15 | |
| 0.0.2 | 5 / 13 | |
| 0.0.1 | 5 / 13 | |
| 0.0.0 | 5 / 13 |
v0.0.50
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.49
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.48
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.47
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.46
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.45
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.44
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.43
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.42
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.41
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.40
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.39
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.38
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.37
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.36
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.35
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.34
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.33
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.32
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.31
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.30
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.29
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.28
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.4
3 findingsScript: npx only-allow pnpm
Script: simple-git-hooks
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.3
3 findingsScript: npx only-allow pnpm
Script: simple-git-hooks
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.