← Home

unsplash-js

npm Repository Homepage
2
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

unsplash-dev

Keywords

apifreeimagesphotossplashunsplash

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance slsa-provenance AI (provenance): Package publishes via GitHub Actions with SLSA attestation; stable supply chain signal for this package. ai
provenance publisher-changed AI (provenance): Publisher changed to GitHub Actions CI with SLSA provenance; consistent with org automation migration. ai
maintainer-change maintainer-added AI (maintainer-change): New maintainer unsplash-dev is the org team account; consistent with legitimate org consolidation. ai
maintainer-change maintainer-removed AI (maintainer-change): Removed maintainers (naoufal, unsplash) replaced by org team account; consistent with org migration. ai
publish-pattern new-deps-added AI (publish-pattern): openapi-fetch is a well-known legitimate HTTP client; not a suspicious dependency. ai

Versions (showing 2 of 2)

Version Deps Published
8.0.0 1 / 8
7.0.20 0 / 6

v8.0.0

3 findings
HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (naoufal, unsplash) were replaced by new maintainers (unsplash-dev). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: unsplash → GitHub Actions (on 2026-06-03) provenance

This version was published by a different npm account than previous versions on 2026-06-03. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.0.20

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.