@codemirror/view
DOM view component for the CodeMirror code editor
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/index.cjs | AI (source-diff): Long strings are Unicode BiDi character type lookup tables (LowTypes/ArabicTypes), a documented and stable pattern in CodeMirror's bidi text rendering code. Not malicious. | ai | |
| source-diff | encoded-string-file:dist/index.js | AI (source-diff): Long strings are Unicode BiDi character type lookup tables (LowTypes/ArabicTypes), a documented and stable pattern in CodeMirror's bidi text rendering code. Not malicious. | ai | |
| dependencies | unvetted-dep:style-mod | AI (dependencies): style-mod is a well-known CodeMirror ecosystem package by the same author; stable dependency across all @codemirror/view versions. | ai | |
| typosquat | typosquat.levenshtein:vite | AI (typosquat): @codemirror/view is a legitimate, long-established CodeMirror 6 package by Marijn Haverbeke; the Levenshtein match to 'vite' is purely coincidental and not a typosquat. | ai | |
| dependencies | unvetted-dep:@codemirror/state | AI (dependencies): @codemirror/state is the core state package of the CodeMirror 6 ecosystem by the same author; stable and expected dependency. | ai | |
| dependencies | unvetted-dep:w3c-keyname | AI (dependencies): w3c-keyname is a well-known CodeMirror ecosystem package by the same author; stable dependency across all @codemirror/view versions. | ai | |
| dependencies | unvetted-dep:crelt | AI (dependencies): crelt is a well-known CodeMirror ecosystem utility by the same author; stable dependency across all @codemirror/view versions. | ai |
Versions (showing 51 of 238)
| Version | Deps | Published |
|---|---|---|
| 6.43.0 | 4 / 1 | |
| 6.42.1 | 4 / 1 | |
| 6.42.0 | 4 / 1 | |
| 6.41.1 | 4 / 1 | |
| 6.41.0 | 4 / 1 | |
| 6.40.0 | 4 / 1 | |
| 6.39.17 | 4 / 1 | |
| 6.39.16 | 4 / 1 | |
| 6.39.15 | 4 / 1 | |
| 6.39.14 | 4 / 1 | |
| 6.39.13 | 4 / 1 | |
| 6.39.12 | 4 / 1 | |
| 6.39.11 | 4 / 1 | |
| 6.39.10 | 4 / 1 | |
| 6.39.9 | 4 / 1 | |
| 6.39.8 | 4 / 1 | |
| 6.39.7 | 4 / 1 | |
| 6.39.6 | 4 / 1 | |
| 6.39.5 | 4 / 1 | |
| 6.39.4 | 4 / 1 | |
| 6.39.3 | 4 / 1 | |
| 6.39.2 | 4 / 1 | |
| 6.39.1 | 4 / 1 | |
| 6.39.0 | 4 / 1 | |
| 6.38.8 | 4 / 1 | |
| 6.38.7 | 4 / 1 | |
| 6.38.6 | 4 / 1 | |
| 6.38.5 | 4 / 1 | |
| 6.38.4 | 4 / 1 | |
| 6.38.3 | 4 / 1 | |
| 6.38.2 | 4 / 1 | |
| 6.38.1 | 4 / 1 | |
| 6.38.0 | 4 / 1 | |
| 6.37.2 | 4 / 1 | |
| 6.37.1 | 4 / 1 | |
| 6.37.0 | 3 / 1 | |
| 6.36.8 | 3 / 1 | |
| 6.36.7 | 3 / 1 | |
| 6.36.6 | 3 / 1 | |
| 6.36.5 | 3 / 1 | |
| 6.36.4 | 3 / 1 | |
| 6.36.3 | 3 / 1 | |
| 6.36.2 | 3 / 1 | |
| 6.36.1 | 3 / 1 | |
| 6.36.0 | 3 / 1 | |
| 6.35.3 | 3 / 1 | |
| 6.35.2 | 3 / 1 | |
| 6.35.1 | 3 / 1 | |
| 6.35.0 | 3 / 1 | |
| 6.34.3 | 3 / 1 | |
| 6.34.2 | 3 / 1 |
v6.43.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.42.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.42.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.41.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.40.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.39.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.39.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.39.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.39.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.39.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.39.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.39.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.39.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.39.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.39.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.39.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.39.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.39.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.39.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.39.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.39.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.39.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.39.0
3 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.38.8
3 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.38.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.38.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.38.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.38.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.38.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.38.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.38.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.38.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.37.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.37.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.37.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.36.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.36.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.36.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.36.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.36.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.36.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.36.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.36.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.36.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.35.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.35.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.35.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.35.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.34.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.34.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.