@formatjs/intl-unified-numberformat
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): pyrocat is a known formatjs contributor with 824 approved packages and no rejections; transition from longlho (original author) is a legitimate org-level maintainer change. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): pyrocat is a trusted publisher (824 approved/0 rejected) and a known formatjs ecosystem contributor; addition is a legitimate maintainer transition. | ai | |
| source-diff | obfuscated-file:src/locales.ts | AI (source-diff): src/locales.ts is a machine-generated CLDR locale data file (marked @generated). Dense single-line JSON is expected for i18n data; not obfuscation. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/locale-data/en-US-POSIX.js | AI (source-diff): Locale data files in this package are @generated CLDR data with long JSON lines — standard pattern for i18n polyfills, not obfuscation. Stable false positive for all versions of this package. | ai | |
| dependencies | unvetted-dep:unicode-12.1.0 | AI (dependencies): unicode-12.1.0 is a legitimate Unicode data package; its use is consistent with this i18n number format polyfill's purpose. | ai | |
| provenance | no-provenance | AI (provenance): Package predates widespread npm provenance adoption; publisher has 720 approved packages with 0 rejections. Lack of provenance is not a meaningful risk signal here. | ai | |
| dependencies | unvetted-dep:@formatjs/intl-utils | AI (dependencies): @formatjs/intl-utils is a sibling package in the same FormatJS monorepo, published by the same trusted maintainer (longlho). This is a stable internal dependency relationship. | ai |
Versions (showing 26 of 26)
| Version | Deps | Published |
|---|---|---|
| 3.3.7 | 1 / 6 | |
| 3.3.6 | 1 / 6 | |
| 3.3.5 | 1 / 6 | |
| 3.3.4 | 1 / 3 | |
| 3.3.3 | 1 / 3 | |
| 3.3.2 | 1 / 3 | |
| 3.3.1 | 1 / 3 | |
| 3.3.0 | 1 / 3 | |
| 3.2.0 | 1 / 3 | |
| 3.1.0 | 2 / 3 | |
| 3.0.4 | 2 / 2 | |
| 3.0.3 | 2 / 2 | |
| 3.0.1 | 1 / 2 | |
| 3.0.0 | 1 / 2 | |
| 2.2.0 | 1 / 2 | |
| 2.1.8 | 1 / 2 | |
| 2.1.7 | 1 / 2 | |
| 2.1.6 | 1 / 2 | |
| 2.1.5 | 1 / 2 | |
| 2.1.4 | 1 / 2 | |
| 2.1.3 | 1 / 2 | |
| 2.1.2 | 1 / 2 | |
| 2.1.1 | 1 / 2 | |
| 2.1.0 | 1 / 2 | |
| 2.0.1 | 1 / 2 | |
| 2.0.0 | 1 / 2 |
v3.3.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.3.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.5
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.2
3 findingsThis version was published by a different npm account than previous versions on 2020-04-12. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
3 findingsThis version was published by a different npm account than previous versions on 2020-01-27. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.8
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.7
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.