@volar/pug-language-service

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

johnsoncodehk

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:vscode-languageserver-textdocument	AI (phantom-deps): vscode-languageserver-textdocument is legitimately used; phantom-dep is a false positive for config-referenced dependencies.	ai	2026/04/24
phantom-deps	phantom-dep:@volar/code-gen	AI (phantom-deps): Monorepo internal dependency; phantom-dep is a false positive for same-org scoped packages in monorepos.	ai	2026/04/24
phantom-deps	phantom-dep:@volar/source-map	AI (phantom-deps): Monorepo internal dependency; phantom-dep is a false positive for same-org scoped packages in monorepos.	ai	2026/04/24
phantom-deps	phantom-dep:@volar/transforms	AI (phantom-deps): Monorepo internal dependency; phantom-dep is a false positive for same-org scoped packages in monorepos.	ai	2026/04/24
phantom-deps	phantom-dep:vscode-languageserver-types	AI (phantom-deps): vscode-languageserver-types is legitimately used; phantom-dep is a false positive for config-referenced dependencies.	ai	2026/04/24
phantom-deps	phantom-dep:pug-lexer	AI (phantom-deps): pug-lexer is legitimately used by the language service; phantom-dep is a false positive for config-referenced dependencies.	ai	2026/04/24
phantom-deps	phantom-dep:pug-parser	AI (phantom-deps): pug-parser is legitimately used by the language service; phantom-dep is a false positive for config-referenced dependencies.	ai	2026/04/24
phantom-deps	phantom-dep:@volar/shared	AI (phantom-deps): Monorepo internal dependency; phantom-dep is a false positive for same-org scoped packages in monorepos.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): New deps are @volar/language-service and muggle-string, both from the same Volar ecosystem author (johnsoncodehk). Consistent with v1.0.0 architecture refactor, not a supply chain risk.	ai	2026/04/24
dependencies	unvetted-dep:muggle-string	AI (dependencies): muggle-string is a legitimate utility used throughout the Volar ecosystem by the same maintainer; not a security concern for this package.	ai	2026/04/23
npm-metadata	no-description	AI (npm-metadata): Monorepo sub-package from a trusted publisher; missing description is a cosmetic issue, not a security signal.	ai	2026/04/23
dependencies	unvetted-dep:pug-parser	AI (dependencies): pug-parser is a legitimate, well-known package in the Pug template engine ecosystem; its use in a pug language service is expected and appropriate.	ai	2026/04/23

Versions (showing 51 of 55)

View all versions

Version	Deps	Published
1.0.24	8 / 1	2023-01-08
1.0.21	9 / 1	2023-01-04
1.0.20	9 / 1	2023-01-03
1.0.18	9 / 1	2022-12-26
1.0.17	9 / 1	2022-12-25
1.0.16	9 / 1	2022-12-20
1.0.14	9 / 1	2022-12-18
1.0.13	9 / 1	2022-12-12
1.0.12	9 / 1	2022-12-08
1.0.8	9 / 1	2022-10-15
1.0.0	9 / 1	2022-10-07
0.40.13	8 / 1	2022-09-08
0.40.10	8 / 1	2022-09-06
0.40.8	8 / 1	2022-09-06
0.40.7	8 / 1	2022-09-05
0.40.6	8 / 1	2022-09-03
0.40.5	8 / 1	2022-08-30
0.40.3	8 / 1	2022-08-28
0.40.2	8 / 1	2022-08-27
0.40.1	8 / 1	2022-08-10
0.40.0	8 / 1	2022-08-10
0.39.4	8 / 1	2022-07-31
0.39.3	8 / 1	2022-07-31
0.39.0	8 / 1	2022-07-22
0.38.9	8 / 1	2022-07-19
0.38.8	8 / 1	2022-07-17
0.38.7	8 / 1	2022-07-16
0.38.5	8 / 1	2022-07-11
0.38.4	8 / 1	2022-07-11
0.38.3	8 / 1	2022-07-07
0.38.0	8 / 1	2022-06-18
0.37.8	8 / 1	2022-06-14
0.37.7	8 / 1	2022-06-13
0.37.4	8 / 1	2022-06-09
0.37.2	8 / 1	2022-06-07
0.37.0	8 / 1	2022-06-06
0.36.0	8 / 1	2022-06-02
0.35.0	8 / 1	2022-05-28
0.34.15	8 / 1	2022-05-15
0.34.13	8 / 1	2022-05-11
0.34.12	8 / 1	2022-05-10
0.34.11	8 / 1	2022-04-29
0.34.9	8 / 1	2022-04-21
0.34.6	8 / 1	2022-04-12
0.34.5	8 / 1	2022-04-11
0.34.4	8 / 1	2022-04-11
0.34.2	8 / 1	2022-04-10
0.34.0	8 / 1	2022-04-09
0.33.6	8 / 1	2022-03-21
0.33.5	8 / 1	2022-03-21
0.33.4	8 / 1	2022-03-21