vhd-lib No license 12 versions

vhd-lib

npm Repository Homepage

12

Versions

—

License

No

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

olivierlambertjulien-fpdoniastgoettelmannmathieuraflorent.beauchampmpitonb-nolletmlssfrncjrgjoris-kolivier.fpierre.brunet289elise-f

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-added	AI (maintainer-change): elise-f is an established publisher (43 approved packages) within the Vates org; transition appears legitimate.	ai	2026/05/31
provenance	publisher-changed	AI (provenance): elise-f is a Vates SAS team member with 43 approved packages; consistent with org-internal maintainer rotation.	ai	2026/05/31
dependencies	unvetted-dep:@vates/read-chunk	AI (dependencies): First-party @vates org dep from same xen-orchestra monorepo.	ai	2026/05/27
dependencies	unvetted-dep:@xen-orchestra/fs	AI (dependencies): First-party @xen-orchestra org dep from same monorepo.	ai	2026/05/27
dependencies	unvetted-dep:@xen-orchestra/log	AI (dependencies): First-party @xen-orchestra org dep from same monorepo.	ai	2026/05/27
dependencies	unvetted-dep:struct-fu	AI (dependencies): Stable third-party dep used by this package across many versions.	ai	2026/05/27
dependencies	unvetted-dep:async-iterator-to-stream	AI (dependencies): Stable utility dep used by this package across many versions.	ai	2026/05/27
phantom-deps	phantom-dep:fs-extra	AI (phantom-deps): fs-extra is declared in dependencies; phantom-dep heuristic false positive.	ai	2026/05/27
dependencies	unvetted-dep:@vates/stream-reader	AI (dependencies): First-party @vates org dep from same xen-orchestra monorepo.	ai	2026/05/27
dependencies	unvetted-dep:@vates/diff	AI (dependencies): First-party @vates org dep from same xen-orchestra monorepo.	ai	2026/05/27

Versions (showing 12 of 12)

Version	Deps	Published
4.16.0	16 / 6	2026-04-24
4.15.0	16 / 6	2026-03-27
4.14.7	16 / 5	2026-01-23
4.14.6	16 / 5	2026-01-06
4.14.5	16 / 5	2025-11-27
4.14.4	16 / 5	2025-11-03
4.14.3	16 / 5	2025-10-30
4.14.2	16 / 5	2025-10-27
4.14.1	16 / 5	2025-08-28
4.14.0	16 / 5	2025-06-27
4.13.0	16 / 5	2025-06-23
4.12.0	16 / 5	2025-05-23

v4.16.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.15.0

2 findings

HIGH Publisher changed: mlssfrncjrg → elise-f (on 2026-03-27) provenance

This version was published by a different npm account than previous versions on 2026-03-27. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.14.7

2 findings

HIGH Publisher changed: mlssfrncjrg → mpiton (on 2026-01-23) provenance

This version was published by a different npm account than previous versions on 2026-01-23. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.14.6

2 findings

HIGH Publisher changed: mlssfrncjrg → elise-f (on 2026-01-06) provenance

This version was published by a different npm account than previous versions on 2026-01-06. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.14.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.14.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.14.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.14.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.14.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.14.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.13.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.12.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.