← Home

@webassemblyjs/ast

npm Repository Homepage

AST utils for webassemblyjs

67
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

xtuc

Keywords

webassemblyjavascriptast

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:webassembly-floating-point-hex-parser AI (phantom-deps): This dependency is legitimately declared for WebAssembly floating-point hex parsing, consistent with the package's AST utility purpose. Not a security concern. ai
dependencies unvetted-dep:webassembly-floating-point-hex-parser AI (dependencies): Small, purpose-specific parser used by the webassemblyjs ecosystem. Consistent with package purpose; no malicious signals. ai
dependencies unvetted-dep:webassemblyjs AI (dependencies): webassemblyjs is the parent monorepo package from the same publisher (xtuc); its presence as a dependency in @webassemblyjs/ast is expected and benign across all versions. ai
phantom-deps phantom-dep:webassemblyjs AI (phantom-deps): webassemblyjs is the parent monorepo package; phantom-dep finding is expected for this scoped monorepo package structure. ai
provenance no-provenance AI (provenance): Established package (2977 days old, 89 versions) published well before Sigstore provenance was common on npm. No security concern. ai
typosquat typosquat.levenshtein:ajv AI (typosquat): Scoped package @webassemblyjs/ast is not a typosquat of ajv; false positive for this well-established WebAssembly tooling package. ai
typosquat typosquat.levenshtein:jest AI (typosquat): Scoped package @webassemblyjs/ast is not a typosquat of jest; the levenshtein match is a false positive for this well-established WebAssembly tooling package. ai
typosquat typosquat.levenshtein:got AI (typosquat): Scoped package @webassemblyjs/ast is not a typosquat of got; false positive for this well-established WebAssembly tooling package. ai
typosquat typosquat.levenshtein:qs AI (typosquat): Scoped package @webassemblyjs/ast is not a typosquat of qs; false positive for this well-established WebAssembly tooling package. ai
dependencies unvetted-dep:@webassemblyjs/helper-wasm-bytecode AI (dependencies): Sibling package from the same @webassemblyjs namespace and author (xtuc); not a suspicious third-party dependency. ai

Versions (showing 67 of 67)

Version Deps Published
1.14.1 2 / 4
1.13.2 2 / 4
1.13.1 2 / 4
1.12.1 2 / 4
1.11.6 2 / 4
1.11.5 2 / 4
1.11.3 2 / 4
1.11.1 2 / 4
1.11.0 2 / 4
1.10.1 2 / 4
1.10.0 2 / 4
1.9.1 3 / 4
1.9.0 3 / 4
1.8.5 3 / 4
1.8.4 3 / 4
1.8.3 3 / 4
1.8.2 3 / 4
1.8.1 3 / 4
1.8.0 3 / 4
1.7.11 3 / 4
1.7.10 3 / 4
1.7.9 3 / 4
1.7.8 3 / 4
1.7.7 4 / 3
1.7.6 4 / 3
1.7.5 4 / 3
1.7.4 4 / 3
1.7.3 4 / 3
1.7.2 4 / 3
1.7.1 4 / 3
1.7.0 4 / 3
1.6.1 5 / 3
1.6.0 5 / 3
1.5.13 5 / 3
1.5.12 5 / 3
1.5.11 5 / 3
1.5.10 5 / 3
1.5.9 5 / 3
1.5.8 5 / 3
1.5.7 5 / 3
1.5.6 5 / 3
1.5.5 6 / 3
1.5.4 4 / 2
1.5.3 4 / 2
1.5.2 4 / 2
1.5.1 4 / 2
1.5.0 4 / 2
1.4.3 4 / 1
1.4.2 4 / 1
1.4.1 4 / 1
1.4.0 3 / 1
1.3.3 3 / 1
1.3.2 3 / 1
1.3.1 3 / 1
1.3.0 3 / 1
1.2.8 3 / 1
1.2.7 2 / 1
1.2.6 2 / 1
1.2.5 2 / 1
1.2.4 2 / 1
1.2.3 2 / 1
1.2.2 3 / 1
1.2.1 3 / 1
1.2.0 3 / 1
1.1.1 3 / 1
1.1.0 3 / 1
1.0.0 3 / 1