@apidevtools/json-schema-ref-parser

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

jonlucajamesmessingerphilsturgeon

Keywords

jsonschemajsonschemajson-schemajson-pointer$refdereferenceresolve

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	slsa-provenance	AI (provenance): Package is published via GitHub Actions CI/CD with Sigstore/SLSA attestation — strongest supply chain integrity signal; stable for this package going forward.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): Transition from human publisher to GitHub Actions with SLSA provenance is a legitimate CI/CD modernization, not a compromise indicator for this package.	ai	2026/04/24

Versions (showing 47 of 47)

Version	Deps	Published
15.3.5	1 / 23	2026-03-30
15.3.4	1 / 23	2026-03-27
15.3.3	1 / 23	2026-03-26
15.3.2	1 / 23	2026-03-23
15.3.1	1 / 23	2026-02-28
15.3.0	1 / 23	2026-02-28
15.2.2	1 / 23	2026-01-24
15.2.1	1 / 23	2026-01-17
15.2.0	1 / 23	2026-01-15
15.1.3	1 / 23	2025-11-29
15.1.2	1 / 23	2025-11-16
15.1.1	1 / 23	2025-11-12
15.1.0	1 / 23	2025-11-12
15.0.1	1 / 23	2025-11-12
15.0.0	1 / 23	2025-11-11
14.2.1	1 / 23	2025-09-10
14.2.0	1 / 23	2025-08-18
14.1.1	2 / 23	2025-07-15
14.1.0	2 / 23	2025-07-07
14.0.3	2 / 23	2025-06-30
14.0.2	2 / 23	2025-06-18
14.0.1	2 / 23	2025-06-16
14.0.0	2 / 23	2025-06-16
13.0.5	2 / 23	2025-06-10
13.0.4	2 / 23	2025-06-08
13.0.3	2 / 23	2025-06-06
13.0.2	2 / 23	2025-06-06
13.0.1	2 / 23	2025-06-03
13.0.0	2 / 23	2025-06-03
12.0.2	3 / 23	2025-05-12
12.0.1	3 / 23	2025-04-12
12.0.0	3 / 23	2025-04-11
11.9.3	3 / 23	2025-02-27
11.9.2	3 / 23	2025-02-26
11.9.1	3 / 23	2025-02-12
11.9.0	3 / 23	2025-01-28
11.8.2	3 / 23	2025-01-28
11.7.3	3 / 23	2024-12-05
11.7.2	3 / 23	2024-10-10
11.7.1	3 / 23	2024-10-10
11.7.0	3 / 23	2024-08-01
11.6.5	3 / 23	2024-08-01
11.6.4	3 / 19	2024-06-03
11.6.3	3 / 19	2024-06-02
11.6.2	3 / 19	2024-05-18
11.6.1	3 / 19	2024-04-23
9.1.2	4 / 16	2023-01-25

v15.3.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v15.3.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v15.3.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v15.3.2

2 findings

HIGH Publisher changed: philsturgeon → GitHub Actions (on 2026-03-23) provenance

This version was published by a different npm account than previous versions on 2026-03-23. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v15.3.1

2 findings

HIGH Publisher changed: philsturgeon → GitHub Actions (on 2026-02-28) provenance

This version was published by a different npm account than previous versions on 2026-02-28. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v15.3.0

2 findings

HIGH Publisher changed: philsturgeon → GitHub Actions (on 2026-02-28) provenance

This version was published by a different npm account than previous versions on 2026-02-28. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.