@asamuzakjp/dom-selector
A CSS selector engine.
12
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
asamuzakjp
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:src/js/nwsapi.js | AI (source-diff): Vendored fork of nwsapi; Function() builds CSS selector resolvers, not network/exec malware. | ai | |
| source-diff | obfuscated-file:dist/cjs/js/constant.js | AI (source-diff): Minified output from documented esbuild build step; source files included in package for verification. | ai | |
| source-diff | obfuscated-file:dist/cjs/js/parser.js | AI (source-diff): Minified output from documented esbuild build step; source files included in package for verification. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): Type definitions are conventionally loaded; stable pattern for TypeScript packages. | ai | |
| source-diff | obfuscated-file:dist/cjs/js/utility.js | AI (source-diff): Minified output from esbuild build step (documented in package.json compat script); stable for this package's build process. | ai | |
| source-diff | obfuscated-file:dist/cjs/index.cjs | AI (source-diff): Minified CJS bundle output from tsup bundler; source available in src/ directory with TypeScript types. Standard build artifact, not obfuscation hiding malicious code. | ai | |
| dependencies | unvetted-dep:@types/node | AI (dependencies): @types/node is a Microsoft-maintained TypeScript type package; its use as a runtime dependency in a TypeScript project is a common pattern and poses no security risk. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is explained by addition of finder.js module (~83KB source + ~84KB CJS build + ~135KB source map). Legitimate feature addition to a CSS selector engine by a trusted publisher. | ai | |
| phantom-deps | phantom-dep:@types/css-tree | AI (phantom-deps): Type definitions are conventionally loaded; stable pattern for TypeScript packages. | ai | |
| dependencies | unvetted-dep:@types/css-tree | AI (dependencies): @types/css-tree is a standard TypeScript type definition package for css-tree, appropriate for a DOM selector library. No security concern. | ai | |
| dependencies | unvetted-dep:nwsapi | AI (dependencies): nwsapi is a legitimate CSS selector library; its addition to a DOM selector engine is contextually appropriate and pinned to a specific version. | ai | |
| source-diff | obfuscated-file:dist/cjs/js/dom-util.js | AI (source-diff): Minified CommonJS output from esbuild build process; legitimate build artifact with source maps and TypeScript sources available. | ai | |
| source-diff | obfuscated-file:dist/cjs/js/matcher.js | AI (source-diff): Minified output from documented esbuild build step; source files included in package for verification. | ai | |
| source-diff | obfuscated-file:dist/cjs/js/finder.js | AI (source-diff): Minified output from documented esbuild build step; source files included in package for verification. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependency is @asamuzakjp/nwsapi, another package from the same trusted publisher; not an external third-party addition. | ai | |
| dependencies | unvetted-dep:bidi-js | AI (dependencies): Legitimate dependency for bidirectional text handling in CSS selector engine; version constraint is reasonable. | ai | |
| dependencies | unvetted-dep:xpath | AI (dependencies): xpath is a well-established npm package for XPath evaluation; its use in a DOM selector library is functionally appropriate and not a security concern. | ai | |
| dependencies | unvetted-dep:is-potential-custom-element-name | AI (dependencies): Focused utility for validating custom element names; appropriate for DOM selector domain. | ai | |
| dependencies | unvetted-dep:css-tree | AI (dependencies): css-tree is a well-established CSS parser; legitimate for a DOM selector library. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore adoption; no provenance is not a security signal for established packages. | ai |