@codemirror/lang-json — Greenflagged

JSON language support for the CodeMirror code editor

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

adrianheinemarijn

Keywords

editorcode

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:lezer-tree	AI (phantom-deps): lezer-tree is a legitimate peer/type dependency of this CodeMirror package, referenced in config but not directly imported. No security risk.	ai	2026/04/24
dependencies	unvetted-dep:lezer-json	AI (dependencies): lezer-json is the expected JSON parser dependency for this CodeMirror language package; legitimate and expected for this ecosystem.	ai	2026/04/24
dependencies	unvetted-dep:@codemirror/language	AI (dependencies): @codemirror/language is a core CodeMirror 6 package by the same author (Marijn Haverbeke); it is a legitimate and expected dependency for all @codemirror/lang-* packages.	ai	2026/04/23
dependencies	unvetted-dep:@lezer/json	AI (dependencies): @lezer/json is the official Lezer JSON grammar maintained by the same author (Marijn Haverbeke) as part of the CodeMirror/Lezer ecosystem; this dependency is expected and stable for this package.	ai	2026/04/23
provenance	no-provenance	AI (provenance): Official CodeMirror package by Marijn Haverbeke; lack of provenance attestation is common and not a meaningful risk signal for this well-established author.	ai	2026/04/21

Versions (showing 8 of 8)

Version	Deps	Published
6.0.2	2 / 1	2025-06-19
6.0.0	2 / 1	2022-06-08
0.20.0	2 / 1	2022-04-20
0.19.2	3 / 1	2022-02-15
0.19.0	3 / 1	2021-08-11
0.18.0	3 / 3	2021-03-03
0.17.1	4 / 3	2021-01-06
0.17.0	4 / 3	2020-12-29