n2words
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | slsa-provenance | AI (provenance): Package publishes via GitHub Actions with SLSA provenance; CI-based publishing is the documented workflow. | ai | |
| source-diff | obfuscated-file:dist/languages/ar.js | AI (source-diff): Standard rollup+terser UMD bundle; MIT header matches package version and repo. | ai | |
| source-diff | obfuscated-file:dist/languages/bn.js | AI (source-diff): Standard rollup+terser UMD bundle; MIT header matches package version and repo. | ai | |
| source-diff | obfuscated-file:dist/languages/cs.js | AI (source-diff): Standard rollup+terser UMD bundle; MIT header matches package version and repo. | ai | |
| source-diff | obfuscated-file:dist/languages/da.js | AI (source-diff): Standard rollup+terser UMD bundle; MIT header matches package version and repo. | ai | |
| source-diff | obfuscated-file:dist/languages/de.js | AI (source-diff): Standard rollup+terser UMD bundle; MIT header matches package version and repo. | ai | |
| source-diff | obfuscated-file:dist/languages/es.js | AI (source-diff): Standard rollup+terser UMD bundle; MIT header matches package version and repo. | ai | |
| source-diff | obfuscated-file:dist/languages/fr-BE.js | AI (source-diff): Standard rollup+terser UMD bundle; MIT header matches package version and repo. | ai | |
| source-diff | obfuscated-file:dist/languages/fr.js | AI (source-diff): Standard rollup+terser UMD bundle; MIT header matches package version and repo. | ai | |
| source-diff | obfuscated-file:dist/languages/gu.js | AI (source-diff): Standard rollup+terser UMD bundle; MIT header matches package version and repo. | ai | |
| source-diff | obfuscated-file:dist/languages/hbo.js | AI (source-diff): Standard rollup+terser UMD bundle; MIT header matches package version and repo. | ai | |
| source-diff | obfuscated-file:dist/languages/he.js | AI (source-diff): Standard rollup+terser UMD bundle; MIT header matches package version and repo. | ai | |
| source-diff | obfuscated-file:dist/languages/hi.js | AI (source-diff): Standard rollup+terser UMD bundle; MIT header matches package version and repo. | ai | |
| source-diff | obfuscated-file:dist/languages/hr.js | AI (source-diff): Standard rollup+terser UMD bundle; MIT header matches package version and repo. | ai | |
| source-diff | obfuscated-file:dist/languages/hu.js | AI (source-diff): Standard rollup+terser UMD bundle; MIT header matches package version and repo. | ai | |
| source-diff | obfuscated-file:dist/languages/it.js | AI (source-diff): Standard rollup+terser UMD bundle; MIT header matches package version and repo. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher is GitHub Actions with SLSA provenance; legitimate CI/CD transition from manual publish. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): tylervigario is listed as a contributor in package.json; legitimate addition. | ai | |
| source-diff | source-size-tripled | AI (source-diff): 7x size increase explained by addition of ~296 new locale dist files in major version. | ai | |
| source-diff | obfuscated-file:dist/am-ET.js | AI (source-diff): Standard rollup+terser minified locale bundle; MIT header present, logic is number-to-words conversion. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Long dormancy followed by major version rewrite with SLSA provenance; consistent with legitimate project revival. | ai | |
| source-diff | obfuscated-file:dist/am-Latn-ET.js | AI (source-diff): Standard rollup+terser minified locale bundle. | ai | |
| source-diff | obfuscated-file:dist/ar-SA.js | AI (source-diff): Standard rollup+terser minified locale bundle. | ai | |
| source-diff | obfuscated-file:dist/az-AZ.js | AI (source-diff): Standard rollup+terser minified locale bundle. | ai | |
| source-diff | obfuscated-file:dist/bn-BD.js | AI (source-diff): Standard rollup+terser minified locale bundle. | ai | |
| source-diff | obfuscated-file:dist/cs-CZ.js | AI (source-diff): Standard rollup+terser minified locale bundle. | ai | |
| source-diff | obfuscated-file:dist/da-DK.js | AI (source-diff): Standard rollup+terser minified locale bundle. | ai | |
| source-diff | obfuscated-file:dist/de-DE.js | AI (source-diff): Standard rollup+terser minified locale bundle. | ai | |
| source-diff | obfuscated-file:dist/el-GR.js | AI (source-diff): Standard rollup+terser minified locale bundle. | ai | |
| source-diff | obfuscated-file:dist/en-AU.js | AI (source-diff): Standard rollup+terser minified locale bundle. | ai | |
| source-diff | obfuscated-file:dist/en-BD.js | AI (source-diff): Standard rollup+terser minified locale bundle. | ai | |
| source-diff | obfuscated-file:dist/en-CA.js | AI (source-diff): Standard rollup+terser minified locale bundle. | ai | |
| source-diff | obfuscated-file:dist/en-GB.js | AI (source-diff): Standard rollup+terser minified locale bundle. | ai | |
| source-diff | obfuscated-file:dist/en-GH.js | AI (source-diff): Standard rollup+terser minified locale bundle. | ai | |
| source-diff | obfuscated-file:dist/en-IE.js | AI (source-diff): Standard rollup+terser minified locale bundle. | ai | |
| source-diff | obfuscated-file:dist/en-IN.js | AI (source-diff): Standard rollup+terser minified locale bundle. | ai | |
| source-diff | obfuscated-file:dist/en-KE.js | AI (source-diff): Standard rollup+terser minified locale bundle. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Major version bump added many new locale files; expected for this package's expansion. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 4.0.0 | 0 / 21 | |
| 3.1.0 | 0 / 25 | |
| 3.0.0 | 0 / 25 | |
| 2.0.0 | 0 / 24 | |
| 1.13.0 | 0 / 13 |
v4.0.0
19 findingsThis version was published by a different npm account than previous versions on 2026-03-05. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.0
17 findingsThis version was published by a different npm account than previous versions on 2026-01-08. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.0
17 findingsThis version was published by a different npm account than previous versions on 2026-01-07. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.0
26 findingsThis version was published by a different npm account than previous versions on 2026-01-03. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.13.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.