@jspm/generator
Package Import Map Generation Tool
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/generator-YFJjbcDo.js | AI (source-diff): Bundled rollup output; eval() is a bundler trick for Node built-in imports, not malware. Stable pattern for this package. | ai | |
| source-diff | net-exec-file:dist/generator-f8ee258e.js | AI (source-diff): Bundled rollup output; network calls and eval('import(...)') are documented bundler patterns for this import-map generator tool. | ai | |
| source-diff | net-exec-file:dist/generator-D5C7PvOF.js | AI (source-diff): Bundled rollup output of the generator itself; eval used only as cross-env dynamic import shim for node builtins. | ai | |
| source-diff | net-exec-file:dist/generator-836af1f4.js | AI (source-diff): Bundled dist file; fetch + eval(import('node:crypto')) for SRI hashes is core functionality of this import-map generator. | ai | |
| source-diff | net-exec-file:dist/generator-63a17341.js | AI (source-diff): Bundled dist file; eval usage is a Node.js legacy dynamic-import shim for built-ins, not malicious code execution. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): bubblyworld is a trusted publisher with 354 approved packages and 0 rejected; addition to jspm/generator is a legitimate team expansion. | ai | |
| source-diff | net-exec-file:dist/generator-790b7aa7.js | AI (source-diff): Bundled dist artifact of the jspm generator; fetch calls are core functionality, eval() patterns are a known technique to prevent bundler resolution of Node built-ins. Not malware. | ai | |
| source-diff | net-exec-file:dist/generator-3508bfb8.js | AI (source-diff): Bundled dist file for a multi-environment ES module tool; network calls are fetch for CDN resolution, eval is used for dynamic import of Node.js built-ins as a bundler-compatibility shim — legitimate pattern for this package. | ai | |
| source-diff | net-exec-file:dist/generator-2eaaa40d.js | AI (source-diff): The network calls are legitimate registry/CDN fetches and the eval() calls are cross-environment compatibility shims for importing Node.js built-ins (node:crypto, node:fs, etc.). Pattern is consistent with JSPM's multi-environment design and visible in public source. | ai | |
| source-diff | net-exec-file:dist/generator-f9f7edef.js | AI (source-diff): Bundled build artifact for an import map generator. Network calls are package CDN fetches (core functionality); eval is a standard bundler pattern for dynamic Node.js built-in imports. Not malicious. | ai | |
| source-diff | net-exec-file:dist/generator-e39efa34.js | AI (source-diff): The dist bundle uses eval() only to wrap Node.js built-in specifiers (node:crypto, node:fs, etc.) to avoid bundler static analysis — a documented pattern in jspm. Network calls are legitimate registry/CDN fetches. Not malware. | ai | |
| source-diff | net-exec-file:dist/generator-c0c780f6.js | AI (source-diff): Dynamic eval calls are used solely to import Node.js built-ins (node:crypto, node:fs, node:path, node:url) — a standard bundler workaround in ESM bundles. Network calls are legitimate package registry fetches for import map generation. | ai | |
| source-diff | net-exec-file:dist/generator-2109fa60.js | AI (source-diff): Bundled dist file; network calls are core to jspm's CDN-fetching purpose; eval() wraps only Node built-in module name strings as a bundler workaround, not arbitrary code execution. | ai | |
| phantom-deps | phantom-dep:@jspm/core | AI (phantom-deps): @jspm/core is a legitimate declared dependency in the same org scope; phantom-dep false positive for same-org sibling packages. | ai | |
| source-diff | net-exec-file:dist/generator-9c0378a8.js | AI (source-diff): The network calls are core package functionality (fetching package metadata) and the eval() usage is a standard bundler pattern for dynamic Node.js built-in imports. Not malicious. | ai | |
| source-diff | net-exec-file:dist/generator-2dd22a69.js | AI (source-diff): The network calls are for import-map resolution (core package purpose) and the eval() patterns are a standard bundler workaround for dynamic Node built-in imports, confirmed by matching source code in the public repo. | ai | |
| source-diff | net-exec-file:dist/generator-88acda98.js | AI (source-diff): The dist bundle uses eval() only for Node.js built-in dynamic imports (e.g. eval('"node:crypto"')) as a bundler compatibility shim. Network calls are fetch for CDN package resolution — core functionality of this import map generator. | ai | |
| source-diff | net-exec-file:dist/generator-2dca0ddb.js | AI (source-diff): The flagged file is a rollup bundle of JSPM generator source. The eval pattern is a standard bundler workaround for dynamic Node.js built-in imports, not malware. Network calls are core package functionality. | ai | |
| source-diff | net-exec-file:dist/generator-f6535983.js | AI (source-diff): Bundled dist file; network calls are legitimate CDN/registry fetches for import map generation; eval() usage is a standard bundler-escape pattern for Node built-in imports, not malware. | ai | |
| dependencies | unvetted-dep:sver | AI (dependencies): sver is a semver utility that is a long-standing dependency of @jspm/generator; stable false positive for this package. | ai | |
| source-diff | net-exec-file:dist/generator-c35f6b68.js | AI (source-diff): The dynamic eval is a standard bundler idiom for dynamic import of Node built-ins (avoids static analysis misclassification). Network calls are core to this import-map generation tool. Not malware. | ai | |
| source-diff | net-exec-file:dist/generator-0d01086e.js | AI (source-diff): The dynamic eval() calls in the bundle are standard cross-environment Node.js built-in import patterns (eval('"node:crypto"') etc.), not dropper/loader behavior. This is a rollup bundle of the legitimate jspm generator. | ai | |
| source-diff | net-exec-file:dist/generator-9582750c.js | AI (source-diff): Bundled rollup output of the generator itself. Network calls are core functionality; eval usage is the indirect-eval pattern for dynamic Node built-in imports in ESM bundles — not malicious. | ai | |
| provenance | publisher-changed | AI (provenance): guybedford is the original JSPM author (listed in package.json author field) and has a strong npm track record; this is a legitimate return to canonical maintainer. | ai | |
| source-diff | net-exec-file:dist/generator-919b65a0.js | AI (source-diff): Bundled dist artifact for an import map generator; network calls are core functionality and eval() is used solely for dynamic Node built-in imports to avoid bundler static analysis — a known legitimate pattern. | ai | |
| phantom-deps | phantom-dep:abort-controller | AI (phantom-deps): abort-controller is a legitimate polyfill dependency for Node.js environments; its indirect usage pattern is expected for this type of package. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() used exclusively as a bundler-escape pattern for Node.js built-in imports (node:fs, node:path, node:url, node:crypto). Legitimate and documented technique for this type of tool. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Standard Node.js base64 decode utility function; no obfuscation or payload hiding. Stable false positive for this package. | ai | |
| source-diff | net-exec-file:dist/generator-64812b2c.js | AI (source-diff): Bundled dist file for an import-map generation tool; network calls and dynamic import() are core to its function. eval() used only as a bundler-escape for Node built-ins. | ai |
Versions (showing 51 of 54)
| Version | Deps | Published |
|---|---|---|
| 2.16.1 | 10 / 15 | |
| 2.16.0 | 10 / 15 | |
| 2.15.0 | 10 / 15 | |
| 2.14.0 | 10 / 15 | |
| 2.13.0 | 10 / 15 | |
| 2.12.0 | 10 / 15 | |
| 2.11.0 | 10 / 15 | |
| 2.10.0 | 10 / 15 | |
| 2.9.0 | 10 / 15 | |
| 2.8.0 | 10 / 15 | |
| 2.7.6 | 10 / 15 | |
| 2.7.5 | 10 / 15 | |
| 2.7.4 | 10 / 15 | |
| 2.7.3 | 10 / 15 | |
| 2.7.2 | 10 / 15 | |
| 2.7.1 | 10 / 15 | |
| 2.7.0 | 10 / 15 | |
| 2.6.4 | 10 / 15 | |
| 2.6.3 | 10 / 15 | |
| 2.6.2 | 10 / 15 | |
| 2.6.1 | 10 / 15 | |
| 2.6.0 | 10 / 15 | |
| 2.5.1 | 7 / 14 | |
| 2.5.0 | 7 / 14 | |
| 2.4.2 | 7 / 14 | |
| 2.4.1 | 7 / 14 | |
| 2.4.0 | 7 / 14 | |
| 2.3.1 | 7 / 14 | |
| 2.3.0 | 7 / 14 | |
| 2.2.0 | 7 / 14 | |
| 2.1.3 | 7 / 14 | |
| 2.1.2 | 7 / 14 | |
| 2.1.1 | 7 / 14 | |
| 2.1.0 | 7 / 14 | |
| 2.0.1 | 9 / 15 | |
| 2.0.0 | 9 / 14 | |
| 1.1.12 | 10 / 14 | |
| 1.1.11 | 10 / 14 | |
| 1.1.10 | 10 / 14 | |
| 1.1.9 | 10 / 13 | |
| 1.1.8 | 10 / 13 | |
| 1.1.7 | 10 / 13 | |
| 1.1.6 | 10 / 13 | |
| 1.1.5 | 10 / 13 | |
| 1.1.4 | 10 / 13 | |
| 1.1.3 | 10 / 13 | |
| 1.1.2 | 10 / 13 | |
| 1.1.1 | 10 / 13 | |
| 1.1.0 | 10 / 13 | |
| 1.0.4 | 10 / 12 | |
| 1.0.3 | 10 / 13 |
v2.16.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.16.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.15.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.14.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jkrishna) than the most recent previously approved version (guybedford) on 2026-02-02, but jkrishna is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.9.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.4
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.3
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.4
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
2 findingsThis version was published by a different npm account than previous versions on 2023-12-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.12
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jkrishna) than the most recent previously approved version (guybedford) on 2023-10-08, but jkrishna is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.1.11
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-08-25. This could indicate a legitimate maintainer transition or an account compromise.
v1.1.10
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-08-14. This could indicate a legitimate maintainer transition or an account compromise.
v1.1.9
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (guybedford) than the most recent previously approved version (bubblyworld) on 2023-05-29, but guybedford is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.1.8
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (guybedford) than the most recent previously approved version (bubblyworld) on 2023-04-29, but guybedford is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-03-24. This could indicate a legitimate maintainer transition or an account compromise.
v1.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.