@typescript-eslint/parser
An ESLint custom parser which leverages TypeScript ESTree
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:typescript-estree | AI (dependencies): typescript-estree is the predecessor package to @typescript-eslint/typescript-estree, legitimately used by early versions of @typescript-eslint/parser before the scoped package migration. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are all first-party @typescript-eslint/* packages at matching versions plus the well-trusted 'debug' library — consistent with monorepo restructuring, not supply chain risk. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance by years; no provenance is expected for this vintage and does not indicate risk for this well-established package. | ai | |
| provenance | missing-githead | AI (provenance): GitHub Actions automated publishing doesn't inject gitHead; SLSA provenance attestation provides stronger commit-level traceability. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher changed to GitHub Actions with SLSA provenance attestation — expected pattern for CI/CD-automated publishing from the official typescript-eslint org. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size drop is explained by code extraction into newly-added first-party monorepo packages at the same version; not a stub/redirect. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): bradzacher is a well-known core contributor to typescript-eslint; legitimate addition. | ai | |
| phantom-deps | phantom-dep:@types/eslint-visitor-keys | AI (phantom-deps): @types/* packages are commonly declared as runtime deps for type resolution by convention; not a real phantom dependency concern for this package. | ai | |
| dependencies | unvetted-dep:@typescript-eslint/typescript-estree | AI (dependencies): Sibling package in the same typescript-eslint monorepo; released in lockstep at the same version. Not a suspicious third-party dependency. | ai | |
| dependencies | unvetted-dep:@typescript-eslint/scope-manager | AI (dependencies): Sibling package in the same typescript-eslint monorepo; released in lockstep at the same version. Not a suspicious third-party dependency. | ai | |
| dependencies | unvetted-dep:@typescript-eslint/visitor-keys | AI (dependencies): Sibling package in the same typescript-eslint monorepo; released in lockstep at the same version. Not a suspicious third-party dependency. | ai | |
| typosquat | typosquat.levenshtein:parcel | AI (typosquat): @typescript-eslint/parser is the canonical TypeScript ESLint parser; the Levenshtein match to 'parcel' is a false positive with no typosquat intent. | ai | |
| dependencies | unvetted-dep:@typescript-eslint/types | AI (dependencies): Sibling package in the same typescript-eslint monorepo; released in lockstep at the same version. Not a suspicious third-party dependency. | ai |
Versions (showing 51 of 394)
| Version | Deps | Published |
|---|---|---|
| 8.60.0 | 5 / 6 | |
| 8.59.4 | 5 / 6 | |
| 8.59.3 | 5 / 6 | |
| 8.59.2 | 5 / 6 | |
| 8.59.1 | 5 / 6 | |
| 8.59.0 | 5 / 6 | |
| 8.58.2 | 5 / 6 | |
| 8.58.1 | 5 / 6 | |
| 8.58.0 | 5 / 6 | |
| 8.57.2 | 5 / 6 | |
| 8.57.1 | 5 / 6 | |
| 8.57.0 | 5 / 6 | |
| 8.56.1 | 5 / 6 | |
| 8.56.0 | 5 / 6 | |
| 8.55.0 | 5 / 6 | |
| 8.54.0 | 5 / 6 | |
| 8.53.1 | 5 / 6 | |
| 8.53.0 | 5 / 6 | |
| 8.52.0 | 5 / 6 | |
| 8.51.0 | 5 / 6 | |
| 8.50.1 | 5 / 6 | |
| 8.50.0 | 5 / 6 | |
| 8.49.0 | 5 / 6 | |
| 8.48.1 | 5 / 6 | |
| 8.48.0 | 5 / 6 | |
| 8.47.0 | 5 / 6 | |
| 8.46.4 | 5 / 6 | |
| 8.46.3 | 5 / 6 | |
| 8.46.2 | 5 / 6 | |
| 8.46.1 | 5 / 6 | |
| 8.46.0 | 5 / 6 | |
| 8.45.0 | 5 / 6 | |
| 8.44.1 | 5 / 6 | |
| 8.44.0 | 5 / 6 | |
| 8.43.0 | 5 / 6 | |
| 8.42.0 | 5 / 6 | |
| 8.41.0 | 5 / 6 | |
| 8.40.0 | 5 / 6 | |
| 8.39.1 | 5 / 6 | |
| 8.39.0 | 5 / 6 | |
| 8.38.0 | 5 / 6 | |
| 8.37.0 | 5 / 6 | |
| 8.36.0 | 5 / 6 | |
| 8.35.1 | 5 / 5 | |
| 8.35.0 | 5 / 5 | |
| 8.34.1 | 5 / 5 | |
| 8.34.0 | 5 / 5 | |
| 8.33.1 | 5 / 5 | |
| 8.33.0 | 5 / 5 | |
| 8.32.1 | 5 / 6 | |
| 8.32.0 | 5 / 6 |
v8.60.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.59.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.59.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.59.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.59.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.58.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-13. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.58.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-08. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.58.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-03-30. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.57.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-03-23. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.57.1
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v8.57.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v8.56.1
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v8.56.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v8.55.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v8.54.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.53.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.53.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.52.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.51.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.50.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.50.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.49.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-08. This could indicate a legitimate maintainer transition or an account compromise.
v8.48.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.48.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-24. This could indicate a legitimate maintainer transition or an account compromise.
v8.47.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-17. This could indicate a legitimate maintainer transition or an account compromise.
v8.46.4
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-10. This could indicate a legitimate maintainer transition or an account compromise.
v8.46.3
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-03. This could indicate a legitimate maintainer transition or an account compromise.
v8.46.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.46.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.46.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.45.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.44.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.44.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.43.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-08. This could indicate a legitimate maintainer transition or an account compromise.
v8.42.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-02. This could indicate a legitimate maintainer transition or an account compromise.
v8.41.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.40.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.39.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.39.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.38.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.37.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.36.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.35.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.35.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.34.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.34.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.33.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.33.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.32.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.32.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.