← Home

pnpm

17
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

zkochanpnpmuser

Keywords

pnpmpnpm11dependenciesdependency managerefficientfasthardlinksinstallinstallerlinklockfilemodulesmonorepomulti-packagenpmpackage managerpackage.jsonpackagesprunerapidremoveshrinkwrapsymlinksuninstallworkspace

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/node_modules/emoji-regex/es2015/index.js AI (source-diff): emoji-regex is a well-known library; long lines are a Unicode regex pattern, not obfuscation. ai
source-diff obfuscated-file:dist/node_modules/emoji-regex/index.js AI (source-diff): Same as above — emoji-regex Unicode regex pattern bundled as expected. ai
source-diff obfuscated-file:dist/pnpm.cjs AI (source-diff): pnpm ships as a single esbuild bundle; long lines are expected minified output, not obfuscation. ai
source-diff net-exec-file:dist/pnpm.cjs AI (source-diff): pnpm is a package manager that inherently makes network calls and executes code; this is core functionality. ai
source-diff encoded-string-file:dist/pnpm.mjs AI (source-diff): Long base64 string is the llhttp WASM binary inside undici — a known, legitimate pattern for this package. ai
source-diff obfuscated-file:dist/pnpm.mjs AI (source-diff): pnpm ships a single bundled CLI artifact; minified output is expected and stable across versions. ai
source-diff net-exec-file:dist/pnpm.mjs AI (source-diff): Network calls and dynamic require in the bundled CLI are inherent to a package manager; not malicious. ai
provenance publisher-changed AI (provenance): SLSA provenance attestation confirms CI/CD publication; publisher account change is consistent with pnpm org automation. ai
source-diff encoded-string-file:dist/pnpm.cjs AI (source-diff): Brotli-compressed PnP hook data embedded in pnpm's bundle; stable, documented pattern across all pnpm versions. ai
npm-metadata bundled-binaries AI (npm-metadata): fastlist and reflink binaries are documented pnpm dependencies for process listing and copy-on-write; stable across versions. ai

Versions (showing 17 of 17)

Version Deps Published
11.13.0 0 / 0
11.12.0 3 / 107
11.11.0 0 / 0
11.10.0 0 / 0
11.9.0 0 / 0
11.8.0 0 / 0
11.7.0 0 / 0
11.6.0 0 / 0
11.5.3 0 / 0
11.5.2 0 / 0
11.5.1 0 / 0
11.5.0 0 / 0
11.4.0 0 / 0
11.2.2 0 / 0
11.2.1 0 / 0
11.2.0 0 / 0
10.33.2 0 / 0

v11.13.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.12.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.11.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.10.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.9.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.8.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.7.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.6.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.5.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.5.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.5.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.5.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.4.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.2.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.2.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.2.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.33.2

2 findings
HIGH Bundled binary files (6) npm-metadata

Package contains compiled binaries that could be backdoors: • dist/vendor/fastlist-0.3.0-x64.exe • dist/vendor/fastlist-0.3.0-x86.exe • dist/reflink.darwin-arm64-2HJ4WGO6.node • dist/reflink.darwin-x64-3G3H6IW4.node • dist/reflink.win32-arm64-msvc-Q6BARPPB.node • dist/reflink.win32-x64-msvc-J2TZHRQI.node

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.