← Home

@formatjs/intl-numberformat

npm Repository Homepage
51
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

longlhoredonkuluspyrocat

Keywords

i18nintlIntl.NumberFormatnumberformatpolyfill

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:locale-data/af-NA.js AI (source-diff): Auto-generated locale data files with single-line JSON are not obfuscated; this is the standard formatjs pattern for all locale-data/*.js files. ai
source-diff obfuscated-file:locale-data/af.js AI (source-diff): Auto-generated locale data file; long lines are structured JSON with human-readable i18n strings, not obfuscation. ai
source-diff obfuscated-file:locale-data/ar.js AI (source-diff): Auto-generated locale data file; long lines are structured JSON with human-readable i18n strings, not obfuscation. ai
source-diff large-new-source-files AI (source-diff): Large number of new files is expected for a locale data polyfill adding comprehensive locale coverage across hundreds of locales. ai
source-diff source-size-tripled AI (source-diff): Size increase is entirely due to addition of locale data files for all supported locales — expected behavior for this polyfill package. ai
provenance no-provenance AI (provenance): Established formatjs package with strong publisher track record; lack of provenance attestation is a minor concern, not a security risk. ai
provenance publisher-changed AI (provenance): formatjs/formatjs monorepo transitioned to GitHub Actions CI/CD publishing with SLSA provenance attestation — a legitimate and expected automation transition for this established org. ai
bogus-package bogus-package AI (bogus-package): Empty index.js and short README are expected for this modular formatjs package which exposes functionality via named ESM exports, not a default entry point. ai
phantom-deps phantom-dep:decimal.js AI (phantom-deps): decimal.js is a legitimate dependency for arbitrary-precision arithmetic in this Intl.NumberFormat polyfill; used across polyfill entry points not fully traversed by the analyzer. ai
phantom-deps phantom-dep:tslib AI (phantom-deps): tslib is a known implicit TypeScript runtime dependency; stable false positive for this package. ai
phantom-deps phantom-dep:@formatjs/intl-localematcher AI (phantom-deps): Same-org sibling dependency used implicitly; stable false positive for this formatjs package. ai

Versions (showing 51 of 67)

View all versions
Version Deps Published
9.3.10 2 / 3
9.3.9 2 / 3
9.3.8 2 / 3
9.3.7 2 / 3
9.3.4 2 / 3
9.3.3 2 / 3
9.3.2 2 / 3
9.3.1 3 / 3
9.2.4 3 / 3
9.2.3 4 / 3
9.2.2 4 / 3
9.2.1 4 / 3
9.2.0 4 / 3
9.1.2 4 / 3
9.1.1 4 / 3
9.1.0 4 / 3
9.0.7 4 / 3
9.0.6 4 / 3
9.0.5 4 / 3
9.0.3 4 / 3
9.0.2 4 / 3
9.0.1 4 / 3
9.0.0 4 / 3
8.15.6 4 / 3
8.15.5 4 / 3
8.15.4 4 / 3
8.15.3 4 / 3
8.15.2 4 / 3
8.15.1 4 / 3
8.15.0 4 / 3
8.14.6 3 / 3
8.14.5 3 / 3
8.14.4 3 / 3
8.14.3 3 / 3
8.14.2 3 / 3
8.14.1 3 / 3
8.14.0 3 / 3
8.13.0 3 / 3
8.12.0 3 / 3
8.11.0 3 / 3
8.10.3 3 / 3
8.10.2 3 / 3
8.10.1 3 / 3
8.10.0 3 / 3
8.9.2 3 / 3
8.9.1 3 / 3
8.9.0 3 / 3
8.8.2 3 / 3
8.8.1 3 / 3
8.8.0 3 / 3
8.7.2 3 / 3

v9.3.10

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v9.3.9

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v9.3.8

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v9.3.7

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v9.3.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v9.3.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v9.3.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v9.3.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v9.2.4

2 findings
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: longlho → GitHub Actions (on 2026-03-16) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-16. This could indicate a legitimate maintainer transition or an account compromise.

v9.2.3

2 findings
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: longlho → GitHub Actions (on 2026-03-09) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-09. This could indicate a legitimate maintainer transition or an account compromise.

v9.2.2

2 findings
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: longlho → GitHub Actions (on 2026-02-01) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-01. This could indicate a legitimate maintainer transition or an account compromise.

v9.2.1

2 findings
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: longlho → GitHub Actions (on 2026-01-19) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-19. This could indicate a legitimate maintainer transition or an account compromise.

v9.2.0

2 findings
HIGH Publisher changed: longlho → GitHub Actions (on 2026-01-15) provenance

This version was published by a different npm account than previous versions on 2026-01-15. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v9.1.2

2 findings
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: longlho → GitHub Actions (on 2026-01-06) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-06. This could indicate a legitimate maintainer transition or an account compromise.

v9.1.1

2 findings
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: longlho → GitHub Actions (on 2026-01-02) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-02. This could indicate a legitimate maintainer transition or an account compromise.

v9.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v9.0.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v9.0.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v9.0.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v9.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v9.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v9.0.1

2 findings
HIGH Phantom dependency: decimal.js phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v9.0.0

2 findings
HIGH Phantom dependency: decimal.js phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.15.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.15.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.15.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v8.15.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v8.15.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v8.15.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v8.15.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v8.14.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v8.14.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v8.14.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v8.14.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v8.14.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v8.14.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v8.14.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v8.13.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v8.12.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v8.11.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v8.10.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.10.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.10.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.10.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.9.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.9.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.9.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.8.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.8.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.8.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v8.7.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.