← Home

package-manager-detector

Package manager detector

24
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

antfubenmccannuserquin

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance missing-githead AI (provenance): Package now publishes with SLSA provenance via CI/CD; missing gitHead is a side effect of the new publish environment, not a risk indicator. ai
provenance publisher-changed AI (provenance): antfu-collective packages intentionally transitioned to GitHub Actions CI/CD publishing; SLSA provenance attestation confirms builds occur in verified CI environment. This pattern is stable for this package. ai
bogus-package bogus-package AI (bogus-package): antfu (Anthony Fu) is a prolific legitimate OSS developer, not a spam publisher. S_KNOWN_SPAM_PUBLISHER is a false positive for this package. No-keywords is trivially benign for an established utility. ai

Versions (showing 24 of 24)

Version Deps Published
1.7.0 0 / 8
1.6.0 0 / 10
1.5.0 0 / 10
1.4.1 0 / 10
1.4.0 0 / 10
1.3.0 0 / 10
1.2.0 0 / 10
1.1.0 0 / 10
1.0.0 0 / 10
0.2.11 1 / 10
0.2.10 1 / 10
0.2.9 0 / 9
0.2.8 0 / 9
0.2.7 0 / 9
0.2.6 0 / 9
0.2.5 0 / 9
0.2.4 0 / 9
0.2.2 0 / 9
0.2.1 0 / 9
0.2.0 0 / 9
0.1.2 0 / 9
0.1.1 0 / 9
0.1.0 0 / 9
0.0.1 0 / 10

v1.7.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.