@stylistic/eslint-plugin-plus

Supplementary rules introduced by ESLint Stylistic.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

eslint-stylistic-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/vendor.js	AI (source-diff): dist/vendor.js is a Rollup-bundled vendor file with readable, commented code. Long lines are from minification of legitimate AST/parser dependencies, not obfuscation. Stable for this package.	ai	2026/04/24
source-diff	source-size-tripled	AI (source-diff): Size increase is due to bundling vendor dependencies (vendor.js) via Rollup, a documented build pattern for this ESLint plugin. Not an injected payload.	ai	2026/04/24
maintainer-change	maintainer-takeover	AI (maintainer-change): Transition to eslint-stylistic-bot is a documented organizational consolidation for the eslint-stylistic project; SLSA provenance confirms CI/CD publishing integrity.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): eslint-stylistic-bot is the official bot for the eslint-stylistic org; publisher change reflects legitimate org consolidation, confirmed by SLSA provenance attestation.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): eslint-stylistic-bot is the established publishing account for this org with 336 approved versions; addition is part of legitimate org transition.	ai	2026/04/24
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of prior maintainers is consistent with org-level bot account consolidation for eslint-stylistic; no malicious indicators present.	ai	2026/04/24
phantom-deps	phantom-dep:@types/eslint	AI (phantom-deps): @types/eslint is a declared runtime dependency in package.json for TypeScript type support; not a phantom dep in the security sense.	ai	2026/04/24

Versions (showing 45 of 45)

Version	Deps	Published
4.4.1	2 / 0	2025-06-04
4.4.0	2 / 0	2025-05-24
4.3.0	2 / 0	2025-05-24
4.2.0	2 / 0	2025-03-03
4.1.0	2 / 0	2025-02-26
4.0.1	2 / 0	2025-02-19
4.0.0	2 / 0	2025-02-18
3.1.0	2 / 0	2025-02-08
3.0.1	2 / 0	2025-01-29
3.0.0	2 / 0	2025-01-25
2.13.0	0 / 0	2025-01-13
2.12.1	0 / 0	2024-12-11
2.12.0	0 / 0	2024-12-09
2.11.0	0 / 0	2024-11-19
2.10.1	0 / 0	2024-11-01
2.10.0	0 / 0	2024-10-30
2.9.0	0 / 0	2024-10-05
2.8.0	0 / 0	2024-09-09
2.7.2	1 / 0	2024-08-30
2.7.1	1 / 0	2024-08-29
2.6.5	1 / 0	2024-08-29
2.6.4	1 / 0	2024-08-16
2.6.3	1 / 0	2024-08-15
2.6.2	2 / 1	2024-08-08
2.6.1	2 / 1	2024-08-01
2.6.0	2 / 1	2024-07-31
2.4.0	2 / 1	2024-07-27
2.3.0	2 / 1	2024-06-25
2.2.2	2 / 1	2024-06-19
2.2.1	2 / 1	2024-06-17
2.2.0	2 / 1	2024-06-15
2.1.0	2 / 1	2024-05-09
2.0.0	2 / 1	2024-05-08
1.8.1	2 / 1	2024-05-07
1.8.0	2 / 1	2024-04-30
1.7.2	2 / 1	2024-04-15
1.7.0	2 / 1	2024-03-14
1.6.3	2 / 1	2024-02-29
1.6.2	2 / 1	2024-02-15
1.6.1	1 / 1	2024-02-08
1.6.0	1 / 1	2024-02-05
1.5.4	1 / 1	2024-01-17
1.5.3	1 / 1	2024-01-02
1.5.1	1 / 1	2023-12-11
1.5.0	1 / 1	2023-12-05

v4.4.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.4.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.13.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.12.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.12.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.11.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.10.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.10.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.9.0

2 findings

HIGH New obfuscated file: dist/vendor.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.8.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.7.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.7.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.4.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.8.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.8.0

3 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (eslint-community-bot, antfu, michaeldeboey) were replaced by new maintainers (eslint-stylistic-bot). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: eslint-community-bot → eslint-stylistic-bot (on 2024-04-30) provenance

This version was published by a different npm account than previous versions on 2024-04-30. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.