package-manager-detector
Package manager detector
24
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
antfubenmccannuserquin
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Package now publishes with SLSA provenance via CI/CD; missing gitHead is a side effect of the new publish environment, not a risk indicator. | ai | |
| provenance | publisher-changed | AI (provenance): antfu-collective packages intentionally transitioned to GitHub Actions CI/CD publishing; SLSA provenance attestation confirms builds occur in verified CI environment. This pattern is stable for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): antfu (Anthony Fu) is a prolific legitimate OSS developer, not a spam publisher. S_KNOWN_SPAM_PUBLISHER is a false positive for this package. No-keywords is trivially benign for an established utility. | ai |
Versions (showing 24 of 24)
| Version | Deps | Published |
|---|---|---|
| 1.7.0 | 0 / 8 | |
| 1.6.0 | 0 / 10 | |
| 1.5.0 | 0 / 10 | |
| 1.4.1 | 0 / 10 | |
| 1.4.0 | 0 / 10 | |
| 1.3.0 | 0 / 10 | |
| 1.2.0 | 0 / 10 | |
| 1.1.0 | 0 / 10 | |
| 1.0.0 | 0 / 10 | |
| 0.2.11 | 1 / 10 | |
| 0.2.10 | 1 / 10 | |
| 0.2.9 | 0 / 9 | |
| 0.2.8 | 0 / 9 | |
| 0.2.7 | 0 / 9 | |
| 0.2.6 | 0 / 9 | |
| 0.2.5 | 0 / 9 | |
| 0.2.4 | 0 / 9 | |
| 0.2.2 | 0 / 9 | |
| 0.2.1 | 0 / 9 | |
| 0.2.0 | 0 / 9 | |
| 0.1.2 | 0 / 9 | |
| 0.1.1 | 0 / 9 | |
| 0.1.0 | 0 / 9 | |
| 0.0.1 | 0 / 10 |
v1.7.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.