local-pkg — Greenflagged

Get information on local packages.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

antfusxzz

Keywords

package

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): sxzz is a known co-maintainer in antfu's ecosystem; legitimate handoff.	ai	2026/06/04
maintainer-change	maintainer-added	AI (maintainer-change): sxzz is an established collaborator across antfu's packages.	ai	2026/06/04
provenance	missing-githead	AI (provenance): CI migration to GitHub Actions with SLSA provenance; gitHead absence is expected.	ai	2026/05/26
publish-pattern	dormant-publish	AI (publish-pattern): Established package by prolific maintainer; dormancy is normal for stable utility libs.	ai	2026/05/26
semgrep	semgrep:dynamic-require	AI (semgrep): Core module-loading utility; dynamic require is the intended design of this package.	ai	2026/05/11
dependencies	unvetted-dep:pkg-types	AI (dependencies): pkg-types is an antfu-collective package widely used across the JS ecosystem; not a risk for this package.	ai	2026/04/21
bogus-package	bogus-package	AI (bogus-package): antfu (Anthony Fu) is a well-known legitimate OSS developer; spam flag is a false positive. Inflated semver is explained by org migration from the original local-pkg package.	ai	2026/04/21

Versions (showing 7 of 7)

Version	Deps	Published
1.2.1	3 / 14	2026-05-21
1.2.0	3 / 14	2026-05-19
1.1.2	3 / 14	2025-08-20
1.1.1	3 / 14	2025-03-03
1.1.0	3 / 14	2025-02-27
1.0.0	2 / 13	2025-01-09
0.4.3	0 / 12	2023-01-19

v1.2.1

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.2.0

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.1

2 findings

HIGH Publisher changed: antfu → sxzz (on 2025-03-03) provenance

This version was published by a different npm account than previous versions on 2025-03-03. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.0

2 findings

HIGH Publisher changed: antfu → sxzz (on 2025-02-27) provenance

This version was published by a different npm account than previous versions on 2025-02-27. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.