@formatjs/intl-pluralrules

Polyfill for Intl.PluralRules

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

longlhoredonkuluspyrocat

Keywords

i18nintlpluralPluralRulespolyfillrules

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@types/es-abstract	AI (dependencies): @types/es-abstract is a TypeScript type definition package for es-abstract, a legitimate runtime dep. Its presence as a dep in this formatjs polyfill is a known pattern, not a risk.	ai	2026/04/24
source-diff	large-new-source-files	AI (source-diff): FormatJS polyfill packages ship per-locale data files; large file count increases are expected as locale coverage expands and are not indicative of injected code.	ai	2026/04/24
phantom-deps	phantom-dep:@formatjs/intl-getcanonicallocales	AI (phantom-deps): Same-org sibling dependency declared in package.json; phantom-dep flag is a stable false positive for this package.	ai	2026/04/24
dependencies	unvetted-dep:@formatjs/intl-getcanonicallocales	AI (dependencies): Sibling package in the same @formatjs org scope, maintained by the same publisher (longlho). No risk generalizes across versions.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Package predates widespread Sigstore provenance adoption on npm; no provenance is expected and stable for this package.	ai	2026/04/24
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is a standard TypeScript runtime helper, declared as a dependency, and a known implicit dependency for TypeScript-compiled packages. Stable false positive for this package.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): formatjs monorepo migrated to GitHub Actions CI/CD publishing with SLSA provenance attestation. This is a legitimate, documented transition for this package family — stronger integrity than personal account publishing.	ai	2026/04/23
bogus-package	bogus-package	AI (bogus-package): False positive: @formatjs/intl-pluralrules is a long-established package (2424 days, 182 versions) in the FormatJS monorepo. Inflated semver signal is incorrect for this package.	ai	2026/04/21

Versions (showing 100 of 186)

Version	Deps	Published
6.3.9	2 / 2	2026-05-27
6.3.8	2 / 2	2026-05-19
6.3.7	2 / 2	2026-05-15
6.3.6	2 / 2	2026-05-12
6.3.5	2 / 2	2026-05-05
6.3.4	2 / 2	2026-04-29
6.3.3	2 / 2	2026-04-24
6.3.2	2 / 2	2026-04-13
6.3.1	3 / 2	2026-03-19
6.2.4	3 / 2	2026-03-16
6.2.3	4 / 2	2026-03-09
6.2.2	4 / 2	2026-02-01
6.2.1	4 / 2	2026-01-19
6.2.0	4 / 2	2026-01-15
6.1.2	4 / 2	2026-01-06
6.1.1	4 / 2	2026-01-02
6.1.0	4 / 2	2025-12-26
6.0.6	4 / 2	2025-12-23
6.0.5	4 / 2	2025-12-23
6.0.4	4 / 2	2025-12-19
6.0.2	4 / 2	2025-12-17
6.0.1	4 / 2	2025-12-15
6.0.0	4 / 2	2025-12-15
5.4.6	4 / 2	2025-10-09
5.4.5	4 / 2	2025-10-03
5.4.4	4 / 2	2025-03-23
5.4.3	4 / 2	2025-02-09
5.4.2	4 / 2	2025-01-02
5.4.1	4 / 2	2024-12-09
5.4.0	4 / 2	2024-12-09
5.3.6	3 / 2	2024-12-08
5.3.5	3 / 2	2024-11-18
5.3.4	3 / 2	2024-11-05
5.3.3	3 / 2	2024-11-04
5.3.2	3 / 2	2024-11-02
5.3.1	3 / 2	2024-10-25
5.3.0	3 / 2	2024-10-25
5.2.17	3 / 2	2024-10-21
5.2.16	3 / 2	2024-10-12
5.2.15	3 / 2	2024-10-09
5.2.14	3 / 2	2024-05-19
5.2.13	3 / 2	2024-05-18
5.2.12	3 / 2	2024-01-16
5.2.11	3 / 2	2024-01-16
5.2.10	3 / 2	2023-11-14
5.2.9	3 / 2	2023-11-12
5.2.8	3 / 2	2023-11-06
5.2.7	3 / 2	2023-10-16
5.2.6	3 / 2	2023-09-10
5.2.5	3 / 2	2023-09-07
5.2.4	3 / 2	2023-06-12
5.2.3	3 / 2	2023-06-06
5.2.2	3 / 2	2023-05-01
5.2.1	3 / 2	2023-04-19
5.2.0	3 / 2	2023-04-17
5.1.10	3 / 2	2023-02-20
5.1.9	3 / 2	2023-02-20
5.1.8	3 / 2	2022-12-02
5.1.7	3 / 2	2022-12-01
5.1.5	3 / 2	2022-11-29
5.1.4	3 / 2	2022-10-13
5.1.3	3 / 2	2022-08-27
5.1.2	3 / 2	2022-08-21
5.1.0	3 / 2	2022-08-21
5.0.3	3 / 0	2022-07-05
5.0.2	3 / 0	2022-06-06
5.0.1	3 / 0	2022-05-19
4.3.3	3 / 0	2022-03-26
4.3.2	3 / 0	2022-02-06
4.3.1	3 / 0	2022-01-24
4.3.0	3 / 0	2022-01-09
4.2.1	3 / 0	2022-01-03
4.2.0	3 / 0	2021-12-20
4.1.6	3 / 0	2021-12-01
4.1.5	3 / 0	2021-10-17
4.1.4	3 / 0	2021-09-27
4.1.3	3 / 0	2021-08-21
4.1.2	3 / 0	2021-08-15
4.1.1	3 / 0	2021-08-06
4.1.0	3 / 0	2021-07-24
4.0.28	2 / 0	2021-06-26
4.0.27	2 / 0	2021-06-05
4.0.26	2 / 0	2021-06-05
4.0.25	2 / 0	2021-06-04
4.0.24	2 / 0	2021-06-02
4.0.23	2 / 0	2021-06-01
4.0.22	2 / 0	2021-05-23
4.0.21	2 / 0	2021-05-20
4.0.20	2 / 0	2021-05-17
4.0.19	2 / 0	2021-05-14
4.0.18	2 / 0	2021-05-10
4.0.17	2 / 0	2021-05-02
4.0.16	2 / 0	2021-04-26
4.0.15	2 / 0	2021-04-26
4.0.14	2 / 0	2021-04-12
4.0.13	2 / 0	2021-03-26
4.0.12	2 / 0	2021-03-15
4.0.11	2 / 0	2021-03-01
4.0.10	2 / 0	2021-02-25
4.0.9	2 / 0	2021-02-25

Showing 100 of 186 Next page →

v6.3.9

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.3.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.3.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.3.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.3.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.3.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.3.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.3.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.3.1

2 findings

HIGH Publisher changed: longlho → GitHub Actions (on 2026-03-19) provenance

This version was published by a different npm account than previous versions on 2026-03-19. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.2.4

2 findings

HIGH Publisher changed: longlho → GitHub Actions (on 2026-03-16) provenance

This version was published by a different npm account than previous versions on 2026-03-16. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.2.3

2 findings

HIGH Publisher changed: longlho → GitHub Actions (on 2026-03-09) provenance

This version was published by a different npm account than previous versions on 2026-03-09. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.2.2

2 findings

HIGH Publisher changed: longlho → GitHub Actions (on 2026-02-01) provenance

This version was published by a different npm account than previous versions on 2026-02-01. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.2.1

2 findings

HIGH Publisher changed: longlho → GitHub Actions (on 2026-01-19) provenance

This version was published by a different npm account than previous versions on 2026-01-19. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.2.0

2 findings

HIGH Publisher changed: longlho → GitHub Actions (on 2026-01-15) provenance

This version was published by a different npm account than previous versions on 2026-01-15. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.1.2

2 findings

HIGH Publisher changed: longlho → GitHub Actions (on 2026-01-06) provenance

This version was published by a different npm account than previous versions on 2026-01-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.1.1

2 findings

HIGH Publisher changed: longlho → GitHub Actions (on 2026-01-02) provenance

This version was published by a different npm account than previous versions on 2026-01-02. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.