signale
👋 Hackable console logger
4
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
klauscfhqklaussinani
Keywords
hackablecolorfulconsolelogger
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | suspicious-initial-version | AI (npm-metadata): signale 0.0.0 is the legitimate initial release from 2908 days ago with 2.8M weekly downloads; version 0.0.0 is not suspicious in this context. | ai | |
| bogus-package | bogus-package | AI (bogus-package): signale is a well-established package with 2.8M weekly downloads and 6 approved-dep edges; sparse early-version metadata does not indicate spam or low value. | ai | |
| dependencies | unvetted-dep:figures | AI (dependencies): figures is a well-known sindresorhus package for terminal Unicode symbols; a stable, legitimate dependency for a console logger like signale. | ai | |
| provenance | publisher-changed | AI (provenance): klauscfhq → klaussinani is a documented personal npm username rebranding by the same author (Klaus Sinani). Repository and author email are consistent with the new identity. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Same rebranding event; klaussinani is the same person as klauscfhq. Not a third-party takeover. | ai | |
| provenance | no-provenance | AI (provenance): Package was published in 2019, predating Sigstore/npm provenance attestation. No provenance is expected for releases of this era. | ai |
v0.0.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.