@rollup/plugin-commonjs
Convert CommonJS modules to ES2015
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher changed from shellscape to GitHub Actions as part of rollup/plugins monorepo migration to automated CI/CD publishing with SLSA provenance — this is a supply chain improvement, not a compromise. | ai | |
| provenance | missing-githead | AI (provenance): Established package from trusted publisher shellscape; missing gitHead reflects a publish environment change, not a security concern. No other risk signals present. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): fdir and picomatch are legitimate, well-known build-tool dependencies replacing glob; consistent with rollup ecosystem patterns and not a suspicious addition. | ai | |
| provenance | no-provenance | AI (provenance): Lack of Sigstore provenance is a best-practice gap, not a security defect. Established package with strong publisher history; provenance is a future hardening recommendation. | ai | |
| phantom-deps | phantom-dep:picomatch | AI (phantom-deps): picomatch is a declared runtime dependency in package.json; it is used in config/glob matching contexts. This is a stable false positive for this package. | ai | |
| dependencies | unvetted-dep:commondir | AI (dependencies): commondir is a long-standing, well-known utility dependency of this package across many versions. No security concern. | ai |
Versions (showing 67 of 67)
| Version | Deps | Published |
|---|---|---|
| 29.0.3 | 7 / 8 | |
| 29.0.2 | 7 / 8 | |
| 29.0.1 | 7 / 8 | |
| 29.0.0 | 7 / 8 | |
| 28.0.9 | 7 / 8 | |
| 28.0.8 | 7 / 8 | |
| 28.0.7 | 7 / 8 | |
| 28.0.6 | 7 / 8 | |
| 28.0.5 | 7 / 8 | |
| 28.0.4 | 7 / 8 | |
| 28.0.3 | 7 / 8 | |
| 28.0.2 | 7 / 8 | |
| 28.0.1 | 7 / 8 | |
| 28.0.0 | 7 / 8 | |
| 27.0.0 | 6 / 8 | |
| 26.0.3 | 6 / 8 | |
| 26.0.2 | 6 / 8 | |
| 26.0.1 | 6 / 8 | |
| 26.0.0 | 6 / 8 | |
| 25.0.8 | 6 / 9 | |
| 25.0.7 | 6 / 9 | |
| 25.0.6 | 6 / 9 | |
| 25.0.5 | 6 / 9 | |
| 25.0.4 | 6 / 9 | |
| 25.0.3 | 6 / 9 | |
| 25.0.2 | 6 / 9 | |
| 25.0.1 | 6 / 9 | |
| 25.0.0 | 6 / 9 | |
| 24.1.0 | 6 / 9 | |
| 24.0.1 | 6 / 9 | |
| 24.0.0 | 6 / 9 | |
| 23.0.7 | 6 / 9 | |
| 23.0.6 | 6 / 9 | |
| 23.0.5 | 6 / 9 | |
| 23.0.4 | 6 / 9 | |
| 23.0.3 | 6 / 9 | |
| 23.0.2 | 6 / 9 | |
| 23.0.1 | 6 / 9 | |
| 23.0.0 | 6 / 9 | |
| 22.0.2 | 7 / 9 | |
| 22.0.1 | 7 / 9 | |
| 22.0.0 | 7 / 9 | |
| 21.1.0 | 7 / 9 | |
| 21.0.3 | 7 / 9 | |
| 21.0.2 | 7 / 9 | |
| 21.0.1 | 7 / 9 | |
| 21.0.0 | 7 / 9 | |
| 20.0.0 | 7 / 9 | |
| 19.0.2 | 7 / 9 | |
| 19.0.1 | 7 / 9 | |
| 19.0.0 | 7 / 9 | |
| 18.1.0 | 7 / 9 | |
| 18.0.0 | 7 / 9 | |
| 17.1.0 | 7 / 9 | |
| 17.0.0 | 7 / 9 | |
| 16.0.0 | 7 / 9 | |
| 15.1.0 | 7 / 9 | |
| 15.0.0 | 7 / 9 | |
| 14.0.0 | 7 / 15 | |
| 13.0.2 | 7 / 15 | |
| 13.0.1 | 7 / 15 | |
| 13.0.0 | 7 / 15 | |
| 12.0.0 | 7 / 15 | |
| 11.1.0 | 7 / 15 | |
| 11.0.2 | 5 / 15 | |
| 11.0.1 | 5 / 20 | |
| 11.0.0 | 5 / 20 |
v29.0.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v29.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v29.0.1
2 findingsThis version was published by a different npm account than previous versions on 2026-03-05. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v29.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: shellscape.
v27.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: shellscape.
v26.0.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: shellscape.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.0.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: shellscape.
v26.0.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: shellscape.
v26.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: shellscape.
v25.0.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: shellscape.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.