@std/esm — Greenflagged

Enable ES modules in Node today!

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jdaltonmathias

Keywords

commonjsecmascriptexportimportmodulesnoderequire

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	source-size-tripled	AI (source-diff): Size increase reflects addition of the bundled esm.js runtime library, which is the package's primary artifact. Expected for this package.	ai	2026/04/24
source-diff	obfuscated-file:esm.js	AI (source-diff): esm.js is the package's canonical webpack bundle; minified distribution is the documented and expected format for this package across all versions.	ai	2026/04/24
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require in webpack bundle module loader shim — standard webpack output pattern, not a real risk for this package.	ai	2026/04/24
typosquat	typosquat.levenshtein:qs	AI (typosquat): @std/esm is a legitimate, well-established ES modules package by jdalton; Levenshtein proximity to 'qs' is purely coincidental and not a typosquat.	ai	2026/04/24
typosquat	typosquat.levenshtein:jest	AI (typosquat): @std/esm is a legitimate, well-established ES modules package by jdalton; Levenshtein proximity to 'jest' is purely coincidental and not a typosquat.	ai	2026/04/24
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): @std/esm is a module loader that legitimately uses Reflect.get() to hook into Node internals. This is a known, documented characteristic of the bundled esm.js distribution — stable false positive for this package.	ai	2026/04/23
provenance	no-provenance	AI (provenance): Package is 3178 days old, predating Sigstore provenance. Published by highly reputable maintainer jdalton with a long track record. No provenance is expected and not a risk signal here.	ai	2026/04/23

Versions (showing 51 of 73)

View all versions

Version	Deps	Published
0.26.0	0 / 0	2018-03-27
0.25.5	0 / 0	2018-03-23
0.25.4	0 / 0	2018-03-21
0.25.3	0 / 0	2018-03-16
0.25.2	0 / 0	2018-03-06
0.25.1	0 / 0	2018-03-06
0.25.0	0 / 0	2018-03-06
0.24.0	0 / 0	2018-03-03
0.23.4	0 / 0	2018-03-01
0.23.3	0 / 0	2018-02-28
0.23.2	0 / 0	2018-02-27
0.23.1	0 / 0	2018-02-26
0.23.0	0 / 0	2018-02-24
0.22.0	0 / 0	2018-02-19
0.21.7	0 / 0	2018-02-13
0.21.6	0 / 0	2018-02-13
0.21.5	0 / 0	2018-02-12
0.21.4	0 / 0	2018-02-11
0.21.3	0 / 0	2018-02-10
0.21.2	0 / 0	2018-02-10
0.21.1	0 / 0	2018-02-08
0.21.0	0 / 0	2018-02-08
0.20.0	0 / 0	2018-01-28
0.19.7	0 / 0	2018-01-19
0.19.6	0 / 0	2018-01-17
0.19.5	0 / 0	2018-01-17
0.19.4	0 / 0	2018-01-17
0.19.3	0 / 0	2018-01-14
0.19.2	0 / 0	2018-01-13
0.19.1	0 / 0	2018-01-06
0.19.0	0 / 0	2018-01-06
0.18.0	0 / 0	2017-12-02
0.17.3	0 / 0	2017-11-28
0.17.2	0 / 0	2017-11-27
0.17.1	0 / 0	2017-11-23
0.17.0	0 / 0	2017-11-23
0.16.0	0 / 0	2017-11-17
0.15.0	0 / 0	2017-11-14
0.14.0	0 / 0	2017-11-12
0.13.0	0 / 0	2017-11-03
0.12.5	0 / 0	2017-10-30
0.12.4	0 / 0	2017-10-25
0.12.3	0 / 0	2017-10-25
0.12.2	0 / 0	2017-10-22
0.12.1	0 / 0	2017-10-20
0.12.0	0 / 0	2017-10-19
0.11.3	0 / 0	2017-10-07
0.11.2	0 / 0	2017-10-02
0.11.1	0 / 0	2017-09-29
0.11.0	0 / 0	2017-09-23
0.10.2	0 / 0	2017-09-20

v0.26.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.