@definitelytyped/header-parser

This library parses package.jsons of [DefinitelyTyped](https://github.com/DefinitelyTyped/DefinitelyTyped) types. Its name is left over from when package information was stored in textual headers.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

microsoft1esandrewbranchtypessanders_nweswighamdefinitelytyped-publisherjakebailey

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-added	AI (maintainer-change): microsoft1es is a Microsoft org account; consistent with internal team management of DefinitelyTyped tooling.	ai	2026/05/19
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of sheetalkamat alongside microsoft1es addition is an expected Microsoft org account rotation.	ai	2026/05/19
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy followed by resumed publishing is consistent with periodic DefinitelyTyped-tools release cadence, not takeover.	ai	2026/05/19
bogus-package	bogus-package	AI (bogus-package): Internal tooling package; sparse README and no keywords are expected for this org's monorepo packages.	ai	2026/05/19
dependencies	unvetted-dep:@definitelytyped/utils	AI (dependencies): Sibling package in the same microsoft/DefinitelyTyped-tools monorepo; stable false positive.	ai	2026/05/19
dependencies	unvetted-dep:@definitelytyped/typescript-versions	AI (dependencies): Sibling package in the same microsoft/DefinitelyTyped-tools monorepo; stable false positive.	ai	2026/05/19