@webassemblyjs/ast
AST utils for webassemblyjs
51
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
xtuc
Keywords
webassemblyjavascriptast
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:webassembly-floating-point-hex-parser | AI (phantom-deps): This dependency is legitimately declared for WebAssembly floating-point hex parsing, consistent with the package's AST utility purpose. Not a security concern. | ai | |
| dependencies | unvetted-dep:webassembly-floating-point-hex-parser | AI (dependencies): Small, purpose-specific parser used by the webassemblyjs ecosystem. Consistent with package purpose; no malicious signals. | ai | |
| dependencies | unvetted-dep:webassemblyjs | AI (dependencies): webassemblyjs is the parent monorepo package from the same publisher (xtuc); its presence as a dependency in @webassemblyjs/ast is expected and benign across all versions. | ai | |
| phantom-deps | phantom-dep:webassemblyjs | AI (phantom-deps): webassemblyjs is the parent monorepo package; phantom-dep finding is expected for this scoped monorepo package structure. | ai | |
| provenance | no-provenance | AI (provenance): Established package (2977 days old, 89 versions) published well before Sigstore provenance was common on npm. No security concern. | ai | |
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): Scoped package @webassemblyjs/ast is not a typosquat of ajv; false positive for this well-established WebAssembly tooling package. | ai | |
| typosquat | typosquat.levenshtein:jest | AI (typosquat): Scoped package @webassemblyjs/ast is not a typosquat of jest; the levenshtein match is a false positive for this well-established WebAssembly tooling package. | ai | |
| typosquat | typosquat.levenshtein:got | AI (typosquat): Scoped package @webassemblyjs/ast is not a typosquat of got; false positive for this well-established WebAssembly tooling package. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped package @webassemblyjs/ast is not a typosquat of qs; false positive for this well-established WebAssembly tooling package. | ai | |
| dependencies | unvetted-dep:@webassemblyjs/helper-wasm-bytecode | AI (dependencies): Sibling package from the same @webassemblyjs namespace and author (xtuc); not a suspicious third-party dependency. | ai |
Versions (showing 51 of 67)
| Version | Deps | Published |
|---|---|---|
| 1.14.1 | 2 / 4 | |
| 1.13.2 | 2 / 4 | |
| 1.13.1 | 2 / 4 | |
| 1.12.1 | 2 / 4 | |
| 1.11.6 | 2 / 4 | |
| 1.11.5 | 2 / 4 | |
| 1.11.3 | 2 / 4 | |
| 1.11.1 | 2 / 4 | |
| 1.11.0 | 2 / 4 | |
| 1.10.1 | 2 / 4 | |
| 1.10.0 | 2 / 4 | |
| 1.9.1 | 3 / 4 | |
| 1.9.0 | 3 / 4 | |
| 1.8.5 | 3 / 4 | |
| 1.8.4 | 3 / 4 | |
| 1.8.3 | 3 / 4 | |
| 1.8.2 | 3 / 4 | |
| 1.8.1 | 3 / 4 | |
| 1.8.0 | 3 / 4 | |
| 1.7.11 | 3 / 4 | |
| 1.7.10 | 3 / 4 | |
| 1.7.9 | 3 / 4 | |
| 1.7.8 | 3 / 4 | |
| 1.7.7 | 4 / 3 | |
| 1.7.6 | 4 / 3 | |
| 1.7.5 | 4 / 3 | |
| 1.7.4 | 4 / 3 | |
| 1.7.3 | 4 / 3 | |
| 1.7.2 | 4 / 3 | |
| 1.7.1 | 4 / 3 | |
| 1.7.0 | 4 / 3 | |
| 1.6.1 | 5 / 3 | |
| 1.6.0 | 5 / 3 | |
| 1.5.13 | 5 / 3 | |
| 1.5.12 | 5 / 3 | |
| 1.5.11 | 5 / 3 | |
| 1.5.10 | 5 / 3 | |
| 1.5.9 | 5 / 3 | |
| 1.5.8 | 5 / 3 | |
| 1.5.7 | 5 / 3 | |
| 1.5.6 | 5 / 3 | |
| 1.5.5 | 6 / 3 | |
| 1.5.4 | 4 / 2 | |
| 1.5.3 | 4 / 2 | |
| 1.5.2 | 4 / 2 | |
| 1.5.1 | 4 / 2 | |
| 1.5.0 | 4 / 2 | |
| 1.4.3 | 4 / 1 | |
| 1.4.2 | 4 / 1 | |
| 1.4.1 | 4 / 1 | |
| 1.4.0 | 3 / 1 |