pathe
Universal filesystem path utils
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Major version bump (v2) by known maintainer pi0; dormancy is expected. | ai | |
| source-diff | obfuscated-file:dist/shared/pathe.Dh3l6lAN.cjs | AI (source-diff): Bundled/minified zeptomatch glob matcher; standard build output for this package. | ai | |
| source-diff | obfuscated-file:dist/shared/pathe.UZ-hd4nF.mjs | AI (source-diff): ESM counterpart of same bundled zeptomatch; standard build output. | ai | |
| source-diff | obfuscated-file:dist/shared/pathe.BLwDEnA5.mjs | AI (source-diff): ESM counterpart of same minified zeptomatch bundle; standard build output. | ai | |
| source-diff | obfuscated-file:dist/shared/pathe.b5CEUR1u.cjs | AI (source-diff): Minified bundle of zeptomatch dependency; standard unbuild output for this package. | ai | |
| source-diff | obfuscated-file:dist/shared/pathe.DztlcRRt.cjs | AI (source-diff): Bundled/minified zeptomatch dependency output; standard build artifact for this package. | ai | |
| provenance | no-provenance | AI (provenance): Manual publish by known maintainer pi0; no provenance is normal for this project. | ai | |
| source-diff | obfuscated-file:dist/shared/pathe.DTxyUWQ9.mjs | AI (source-diff): ESM variant of same bundled zeptomatch output; standard build artifact. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 2.0.3 | 0 / 12 | |
| 2.0.2 | 0 / 12 | |
| 2.0.1 | 0 / 12 | |
| 2.0.0 | 0 / 12 | |
| 1.1.1 | 0 / 10 |
v2.0.2
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (pi0) than the most recent previously approved version (danielroe) on 2025-01-17, but pi0 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.0.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (pi0) than the most recent previously approved version (danielroe) on 2025-01-09, but pi0 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.0.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (pi0) than the most recent previously approved version (danielroe) on 2025-01-03, but pi0 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.