pastoralist
A tool to watch over node module resolutions and overrides
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/index-krz1repy.js | AI (source-diff): Minified output from bun build --minify --splitting; stable build artifact pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/index-jg5nx0cz.js | AI (source-diff): Minified output from bun build --minify --splitting; stable build artifact pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/index-5rqa5bwg.js | AI (source-diff): Minified bundle output from bun build --minify; content is legitimate pastoralist CLI code. | ai | |
| source-diff | obfuscated-file:dist/index-kd7ef6tp.js | AI (source-diff): Minified bundle output from bun build --minify; content is legitimate CLI entry point importing from sibling bundle. | ai | |
| source-diff | obfuscated-file:dist/index-jf4c8b8g.js | AI (source-diff): Minified bundle output from bun build --minify --splitting; content is legitimate pastoralist CLI code. | ai | |
| source-diff | obfuscated-file:dist/index-rsmpje4c.js | AI (source-diff): Minified bundle output from bun build --minify --splitting; content is legitimate pastoralist CLI code. | ai | |
| source-diff | obfuscated-file:dist/index-xhqs3ax6.js | AI (source-diff): Minified bun build output with --splitting; hash-suffixed filenames are expected artifacts of this build toolchain. | ai | |
| source-diff | obfuscated-file:dist/index-zhqchy50.js | AI (source-diff): Same bun --splitting build artifact; CLI entry point importing from the main bundle. | ai | |
| source-diff | obfuscated-file:dist/index-tgmq9j22.js | AI (source-diff): Minified CLI entry point bundled by bun build --minify; imports from sibling bundle, clearly legitimate. | ai | |
| source-diff | obfuscated-file:dist/index-sfcaw5ha.js | AI (source-diff): Minified output from bun build --minify; content is readable pastoralist logic, not obfuscated malware. | ai | |
| phantom-deps | phantom-dep:inquirer | AI (phantom-deps): Monorepo workspace dep; not imported in published dist. | ai | |
| phantom-deps | phantom-dep:fast-glob | AI (phantom-deps): Monorepo workspace dep; not imported in published dist. | ai | |
| phantom-deps | phantom-dep:@astrojs/mdx | AI (phantom-deps): Monorepo workspace dep for doc site; not part of published dist. | ai | |
| email-domain | unclaimed-email:https:jeffry.in | AI (email-domain): Not an email address — it's a URL in the author field; domain is the package's documented homepage. | ai | |
| phantom-deps | phantom-dep:@astrojs/react | AI (phantom-deps): Monorepo workspace dep for doc site; not part of published dist. | ai | |
| phantom-deps | phantom-dep:@docsearch/css | AI (phantom-deps): Monorepo workspace dep for doc site; not part of published dist. | ai | |
| phantom-deps | phantom-dep:gradient-string | AI (phantom-deps): Monorepo workspace dep; not imported in published dist. | ai | |
| phantom-deps | phantom-dep:@docsearch/js | AI (phantom-deps): Monorepo workspace dep for doc site; not part of published dist. | ai | |
| phantom-deps | phantom-dep:astro | AI (phantom-deps): Monorepo workspace dep for doc site; not part of published dist. | ai | |
| phantom-deps | phantom-dep:daisyui | AI (phantom-deps): Monorepo workspace dep for doc site; not part of published dist. | ai | |
| phantom-deps | phantom-dep:ora | AI (phantom-deps): Monorepo workspace dep; not imported in published dist. | ai |
Versions (showing 28 of 28)
| Version | Deps | Published |
|---|---|---|
| 1.12.0 | 0 / 8 | |
| 1.11.4 | 0 / 7 | |
| 1.11.3 | 0 / 7 | |
| 1.11.2 | 0 / 7 | |
| 1.11.1 | 0 / 7 | |
| 1.11.0 | 0 / 7 | |
| 1.10.0 | 0 / 7 | |
| 1.9.6 | 0 / 7 | |
| 1.9.5 | 0 / 7 | |
| 1.9.4 | 0 / 7 | |
| 1.9.3 | 0 / 7 | |
| 1.9.2 | 0 / 7 | |
| 1.9.1 | 0 / 7 | |
| 1.9.0 | 0 / 7 | |
| 1.8.4 | 0 / 7 | |
| 1.8.3 | 0 / 7 | |
| 1.8.2 | 0 / 7 | |
| 1.8.1 | 12 / 18 | |
| 1.8.0 | 12 / 18 | |
| 1.7.5 | 8 / 19 | |
| 1.7.4 | 8 / 19 | |
| 1.7.3 | 8 / 19 | |
| 1.7.2 | 7 / 19 | |
| 1.6.1 | 6 / 19 | |
| 1.6.0 | 6 / 19 | |
| 1.5.0 | 6 / 19 | |
| 1.4.0 | 6 / 25 | |
| 1.3.0 | 6 / 25 |
v1.11.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.2
2 findingsMaintainer email 'https:jeffry.in' uses domain 'https:jeffry.in' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.1
2 findingsMaintainer email 'https:jeffry.in' uses domain 'https:jeffry.in' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.0
2 findingsMaintainer email 'https:jeffry.in' uses domain 'https:jeffry.in' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.4
2 findingsMaintainer email 'https:jeffry.in' uses domain 'https:jeffry.in' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.3
2 findingsMaintainer email 'https:jeffry.in' uses domain 'https:jeffry.in' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.2
2 findingsMaintainer email 'https:jeffry.in' uses domain 'https:jeffry.in' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.1
2 findingsMaintainer email 'https:jeffry.in' uses domain 'https:jeffry.in' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.0
2 findingsMaintainer email 'https:jeffry.in' uses domain 'https:jeffry.in' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.