@storm-software/eslint-plugin-tsdoc

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

stormie-botsullivanpj

Keywords

eslinteslint-pluginstorm-software

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/plugin-J8NsxKRJ.mjs	AI (source-diff): Rolldown bundle of explicitly declared inlinedDependencies; minified but not obfuscated or malicious.	ai	2026/06/13
source-diff	net-exec-file:dist/plugin-J8NsxKRJ.mjs	AI (source-diff): Network/exec pattern is from bundled resolver/module deps (resolve, is-core-module), not dropper behavior.	ai	2026/06/13
source-diff	net-exec-file:dist/plugin-BxdznRU6.mjs	AI (source-diff): False positive on bundled ESLint plugin; no actual network+exec payload, just bundled module resolution helpers.	ai	2026/06/12
source-diff	obfuscated-file:dist/plugin-BxdznRU6.mjs	AI (source-diff): Rolldown bundle of inlined deps (@microsoft/tsdoc etc.); confirmed by inlinedDependencies field and SLSA provenance.	ai	2026/06/12
source-diff	net-exec-file:dist/plugin-BuKHlGry.mjs	AI (source-diff): Network/exec pattern is bundler boilerplate from rolldown runtime, not dropper malware.	ai	2026/06/12
source-diff	obfuscated-file:dist/plugin-BuKHlGry.mjs	AI (source-diff): Rolldown bundle inlining declared inlinedDependencies; readable commented code, not obfuscation.	ai	2026/06/12
source-diff	source-size-tripled	AI (source-diff): Size increase explained by bundling inlinedDependencies into the dist file.	ai	2026/06/12
phantom-deps	phantom-dep:function-bind	AI (phantom-deps): Transitive dep; declared explicitly.	ai	2026/06/11
phantom-deps	phantom-dep:is-core-module	AI (phantom-deps): Transitive dep of resolve; declared explicitly.	ai	2026/06/11
phantom-deps	phantom-dep:fast-deep-equal	AI (phantom-deps): Transitive dep of ajv; declared explicitly.	ai	2026/06/11
phantom-deps	phantom-dep:ajv	AI (phantom-deps): Transitive dep of @microsoft/tsdoc-config; declared explicitly, not a phantom threat.	ai	2026/06/11
phantom-deps	phantom-dep:@typescript-eslint/utils	AI (phantom-deps): Declared as direct dep; phantom-dep heuristic false positive for this package.	ai	2026/06/11
phantom-deps	phantom-dep:defu	AI (phantom-deps): Declared as direct dep; phantom-dep heuristic false positive for this package.	ai	2026/06/11
phantom-deps	phantom-dep:json-schema-traverse	AI (phantom-deps): Transitive dep of ajv; declared explicitly.	ai	2026/06/11
phantom-deps	phantom-dep:jju	AI (phantom-deps): Transitive dep of @microsoft/tsdoc-config; declared explicitly.	ai	2026/06/11
phantom-deps	phantom-dep:hasown	AI (phantom-deps): Transitive dep of resolve; declared explicitly.	ai	2026/06/11
phantom-deps	phantom-dep:uri-js	AI (phantom-deps): Transitive dep of ajv; declared explicitly.	ai	2026/06/11
phantom-deps	phantom-dep:resolve	AI (phantom-deps): Legitimate dep for module resolution in eslint plugin context.	ai	2026/06/11
phantom-deps	phantom-dep:es-errors	AI (phantom-deps): Transitive dep; declared explicitly, no threat.	ai	2026/06/11
phantom-deps	phantom-dep:path-parse	AI (phantom-deps): Transitive dep of resolve; declared explicitly.	ai	2026/06/11

Versions (showing 23 of 23)

Version	Deps	Published
0.0.24	16 / 13	2026-06-13
0.0.23	16 / 13	2026-06-13
0.0.22	16 / 13	2026-06-13
0.0.21	16 / 13	2026-06-13
0.0.20	16 / 13	2026-06-13
0.0.19	16 / 13	2026-06-13
0.0.18	16 / 13	2026-06-13
0.0.17	16 / 13	2026-06-11
0.0.16	16 / 13	2026-06-11
0.0.15	16 / 13	2026-06-11
0.0.14	16 / 13	2026-06-11
0.0.13	16 / 13	2026-06-11
0.0.12	16 / 13	2026-06-10
0.0.11	16 / 13	2026-06-10
0.0.10	16 / 13	2026-06-10
0.0.9	16 / 13	2026-06-10
0.0.8	3 / 13	2026-06-08
0.0.7	3 / 13	2026-06-08
0.0.6	3 / 13	2026-06-08
0.0.5	3 / 13	2026-06-08
0.0.4	3 / 13	2026-06-08
0.0.3	3 / 13	2026-06-08
0.0.2	3 / 13	2026/06/08

v0.0.24

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.23

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.22

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.21

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.20

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.19

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.18

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.17

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.16

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.15

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.14

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.13

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.12

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.11

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.10

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.9

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.8

3 findings

HIGH New obfuscated file: dist/plugin-BxdznRU6.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/plugin-BxdznRU6.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.7

3 findings

HIGH New obfuscated file: dist/plugin-BuKHlGry.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/plugin-BuKHlGry.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.6

3 findings

HIGH New obfuscated file: dist/plugin-J8NsxKRJ.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/plugin-J8NsxKRJ.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.