@volar/pug-language-service
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:vscode-languageserver-textdocument | AI (phantom-deps): vscode-languageserver-textdocument is legitimately used; phantom-dep is a false positive for config-referenced dependencies. | ai | |
| phantom-deps | phantom-dep:@volar/code-gen | AI (phantom-deps): Monorepo internal dependency; phantom-dep is a false positive for same-org scoped packages in monorepos. | ai | |
| phantom-deps | phantom-dep:@volar/source-map | AI (phantom-deps): Monorepo internal dependency; phantom-dep is a false positive for same-org scoped packages in monorepos. | ai | |
| phantom-deps | phantom-dep:@volar/transforms | AI (phantom-deps): Monorepo internal dependency; phantom-dep is a false positive for same-org scoped packages in monorepos. | ai | |
| phantom-deps | phantom-dep:vscode-languageserver-types | AI (phantom-deps): vscode-languageserver-types is legitimately used; phantom-dep is a false positive for config-referenced dependencies. | ai | |
| phantom-deps | phantom-dep:pug-lexer | AI (phantom-deps): pug-lexer is legitimately used by the language service; phantom-dep is a false positive for config-referenced dependencies. | ai | |
| phantom-deps | phantom-dep:pug-parser | AI (phantom-deps): pug-parser is legitimately used by the language service; phantom-dep is a false positive for config-referenced dependencies. | ai | |
| phantom-deps | phantom-dep:@volar/shared | AI (phantom-deps): Monorepo internal dependency; phantom-dep is a false positive for same-org scoped packages in monorepos. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are @volar/language-service and muggle-string, both from the same Volar ecosystem author (johnsoncodehk). Consistent with v1.0.0 architecture refactor, not a supply chain risk. | ai | |
| dependencies | unvetted-dep:muggle-string | AI (dependencies): muggle-string is a legitimate utility used throughout the Volar ecosystem by the same maintainer; not a security concern for this package. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Monorepo sub-package from a trusted publisher; missing description is a cosmetic issue, not a security signal. | ai | |
| dependencies | unvetted-dep:pug-parser | AI (dependencies): pug-parser is a legitimate, well-known package in the Pug template engine ecosystem; its use in a pug language service is expected and appropriate. | ai |
Versions (showing 55 of 55)
| Version | Deps | Published |
|---|---|---|
| 1.0.24 | 8 / 1 | |
| 1.0.21 | 9 / 1 | |
| 1.0.20 | 9 / 1 | |
| 1.0.18 | 9 / 1 | |
| 1.0.17 | 9 / 1 | |
| 1.0.16 | 9 / 1 | |
| 1.0.14 | 9 / 1 | |
| 1.0.13 | 9 / 1 | |
| 1.0.12 | 9 / 1 | |
| 1.0.8 | 9 / 1 | |
| 1.0.0 | 9 / 1 | |
| 0.40.13 | 8 / 1 | |
| 0.40.10 | 8 / 1 | |
| 0.40.8 | 8 / 1 | |
| 0.40.7 | 8 / 1 | |
| 0.40.6 | 8 / 1 | |
| 0.40.5 | 8 / 1 | |
| 0.40.3 | 8 / 1 | |
| 0.40.2 | 8 / 1 | |
| 0.40.1 | 8 / 1 | |
| 0.40.0 | 8 / 1 | |
| 0.39.4 | 8 / 1 | |
| 0.39.3 | 8 / 1 | |
| 0.39.0 | 8 / 1 | |
| 0.38.9 | 8 / 1 | |
| 0.38.8 | 8 / 1 | |
| 0.38.7 | 8 / 1 | |
| 0.38.5 | 8 / 1 | |
| 0.38.4 | 8 / 1 | |
| 0.38.3 | 8 / 1 | |
| 0.38.0 | 8 / 1 | |
| 0.37.8 | 8 / 1 | |
| 0.37.7 | 8 / 1 | |
| 0.37.4 | 8 / 1 | |
| 0.37.2 | 8 / 1 | |
| 0.37.0 | 8 / 1 | |
| 0.36.0 | 8 / 1 | |
| 0.35.0 | 8 / 1 | |
| 0.34.15 | 8 / 1 | |
| 0.34.13 | 8 / 1 | |
| 0.34.12 | 8 / 1 | |
| 0.34.11 | 8 / 1 | |
| 0.34.9 | 8 / 1 | |
| 0.34.6 | 8 / 1 | |
| 0.34.5 | 8 / 1 | |
| 0.34.4 | 8 / 1 | |
| 0.34.2 | 8 / 1 | |
| 0.34.0 | 8 / 1 | |
| 0.33.6 | 8 / 1 | |
| 0.33.5 | 8 / 1 | |
| 0.33.4 | 8 / 1 | |
| 0.33.3 | 8 / 1 | |
| 0.33.2 | 8 / 1 | |
| 0.33.1 | 8 / 1 | |
| 0.33.0 | 8 / 1 |
v1.0.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.39.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.39.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.39.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.37.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.37.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.37.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.37.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.37.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.36.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.35.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.34.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.34.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.34.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.34.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.34.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.34.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.34.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.34.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.34.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.34.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.33.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.33.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.33.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.33.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.33.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.33.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.33.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.