yahoo-finance2 — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

gadicchuh

Keywords

yahoofinancefinancialdatastockpricequotehistoricaleodend-of-dayclientlibraryagent-skillmcp-server

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:esm/_dnt.polyfills.js	AI (source-diff): dnt polyfill for import.meta across CJS/ESM; standard toolchain artifact, not malware.	ai	2026/05/31
source-diff	net-exec-file:script/_dnt.polyfills.js	AI (source-diff): CJS variant of same dnt polyfill; standard toolchain artifact.	ai	2026/05/31
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get used in import-meta-ponyfill for module-system bridging; not obfuscation.	ai	2026/05/31
phantom-deps	phantom-dep:fetch-mock-cache	AI (phantom-deps): Test/dev dependency declared but not directly imported at runtime; stable false positive for this package.	ai	2026/04/30

Versions (showing 20 of 20)

Version	Deps	Published
3.15.3	7 / 1	2026-06-12
3.15.2	7 / 1	2026-05-30
3.15.1	7 / 1	2026-05-30
3.15.0	7 / 1	2026-05-30
3.14.3	5 / 1	2026-05-29
3.14.2	5 / 1	2026-05-28
3.14.1	5 / 1	2026-05-16
3.14.0	5 / 1	2026-03-26
3.3.7	3 / 1	2025-06-28
3.3.6	3 / 1	2025-06-28
3.3.5	3 / 1	2025-05-28
3.3.4	3 / 1	2025-05-26
3.3.3	3 / 1	2025-05-23
3.3.2	3 / 1	2025-05-16
3.3.1	3 / 1	2025-05-10
3.3.0	3 / 1	2025-05-07
3.2.1	3 / 1	2025-05-04
3.2.0	3 / 1	2025-05-04
2.14.2	4 / 22	2025-11-23
2.13.4	4 / 22	2025-11-20

v3.15.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.15.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.15.1

3 findings

HIGH New file with network + code execution: esm/_dnt.polyfills.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: script/_dnt.polyfills.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.15.0

3 findings

HIGH New file with network + code execution: esm/_dnt.polyfills.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: script/_dnt.polyfills.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.14.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.14.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.14.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.14.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.