@vscode/l10n
A helper library to assist in localizing subprocesses spun up by VS Code extensions
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher change from individual MS employee to vscode-bot is a documented Microsoft org transition. vscode-bot has 798 approved packages and is the standard Microsoft VS Code publishing account. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers (microsoft1es, joaomoreno.ms, vscode-bot) are Microsoft organizational accounts replacing individual employee accounts — a known Microsoft OSS publishing consolidation pattern. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removed maintainers are all known VS Code team individual accounts replaced by Microsoft org accounts. Consistent with Microsoft's publishing consolidation; not a takeover signal. | ai | |
| provenance | missing-githead | AI (provenance): vscode-bot is a trusted Microsoft publisher; missing gitHead reflects a CI/CD environment change, not a security concern for this well-established package. | ai | |
| provenance | no-provenance | AI (provenance): Microsoft/vscode-bot is a well-established publisher; absence of Sigstore provenance is not a meaningful risk signal for this package. | ai |
Versions (showing 16 of 16)
| Version | Deps | Published |
|---|---|---|
| 0.0.18 | 0 / 16 | |
| 0.0.17 | 0 / 16 | |
| 0.0.16 | 0 / 17 | |
| 0.0.15 | 0 / 17 | |
| 0.0.14 | 0 / 17 | |
| 0.0.13 | 0 / 17 | |
| 0.0.11 | 0 / 17 | |
| 0.0.10 | 0 / 16 | |
| 0.0.9 | 0 / 16 | |
| 0.0.8 | 0 / 16 | |
| 0.0.7 | 0 / 16 | |
| 0.0.6 | 0 / 14 | |
| 0.0.5 | 0 / 14 | |
| 0.0.3 | 0 / 13 | |
| 0.0.2 | 0 / 13 | |
| 0.0.1 | 0 / 13 |
v0.0.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.9
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: vscode-bot.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: vscode-bot.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.7
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: vscode-bot.
v0.0.6
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: vscode-bot.
v0.0.5
3 findingsThis version was published by a different npm account than previous versions on 2022-10-14. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: vscode-bot.
v0.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.