ace-builds
Ace (Ajax.org Cloud9 Editor)
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:src-noconflict/mode-mariadb.js | AI (source-diff): Unminified mode file with long lines; standard for ace-builds. | ai | |
| source-diff | obfuscated-file:src-min/mode-cedar.js | AI (source-diff): Minified syntax mode in src-min/; standard for ace-builds. | ai | |
| source-diff | obfuscated-file:src-min-noconflict/mode-cedar.js | AI (source-diff): Minified syntax mode in src-min-noconflict/; standard for ace-builds. | ai | |
| source-diff | obfuscated-file:src-min/ext-whitespaces_in_selection.js | AI (source-diff): Minified editor extension in src-min/; standard for ace-builds. | ai | |
| source-diff | obfuscated-file:src-min-noconflict/ext-whitespaces_in_selection.js | AI (source-diff): Minified editor extension in src-min-noconflict/; standard for ace-builds. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New syntax modes (cedar, groq, mariadb, etc.) across 4 build variants is normal for ace-builds. | ai | |
| source-diff | obfuscated-file:src/mode-mariadb.js | AI (source-diff): Unminified mode file with long lines; standard for ace-builds. | ai | |
| source-diff | obfuscated-file:src-min/mode-mariadb.js | AI (source-diff): Minified syntax mode in src-min/; standard for ace-builds. | ai | |
| source-diff | obfuscated-file:src-min-noconflict/mode-mariadb.js | AI (source-diff): Minified syntax mode in src-min-noconflict/; standard for ace-builds. | ai | |
| source-diff | obfuscated-file:src-min/mode-groq.js | AI (source-diff): Minified syntax mode in src-min/; standard for ace-builds. | ai | |
| source-diff | obfuscated-file:src-min-noconflict/mode-groq.js | AI (source-diff): Minified syntax mode in src-min-noconflict/; standard for ace-builds. | ai | |
| source-diff | obfuscated-file:src-min/mode-cedarschema.js | AI (source-diff): Minified syntax mode in src-min/; standard for ace-builds. | ai | |
| source-diff | obfuscated-file:src-min-noconflict/mode-cedarschema.js | AI (source-diff): Minified syntax mode in src-min-noconflict/; standard for ace-builds. | ai | |
| source-diff | obfuscated-file:src-min/mode-zig.js | AI (source-diff): ace-builds ships minified mode files for every supported language; mode-zig.js is a standard Zig syntax highlighter, not obfuscated code. | ai | |
| source-diff | obfuscated-file:src-min-noconflict/mode-zig.js | AI (source-diff): ace-builds ships minified mode files for every supported language; mode-zig.js is a standard Zig syntax highlighter, not obfuscated code. | ai | |
| source-diff | obfuscated-file:src-min/mode-assembly_arm32.js | AI (source-diff): ace-builds ships minified mode files in src-min/ by design; this is a syntax highlighter, not obfuscated code. | ai | |
| source-diff | obfuscated-file:src-min-noconflict/mode-vue.js | AI (source-diff): ace-builds ships minified mode files in src-min-noconflict/ by design; Vue mode is a standard editor feature. | ai | |
| source-diff | obfuscated-file:src-min/mode-vue.js | AI (source-diff): ace-builds ships minified mode files in src-min/ by design; Vue mode is a standard editor feature. | ai | |
| source-diff | obfuscated-file:src-min-noconflict/mode-assembly_arm32.js | AI (source-diff): ace-builds ships minified mode files in src-min-noconflict/ by design; this is a syntax highlighter, not obfuscated code. | ai | |
| source-diff | obfuscated-file:src-noconflict/theme-cloud_editor_dark.js | AI (source-diff): Ace theme file with embedded CSS string literal; standard pattern for all Ace themes, not obfuscation. | ai | |
| source-diff | obfuscated-file:src/theme-cloud_editor.js | AI (source-diff): Ace theme file with embedded CSS string literal; standard pattern for all Ace themes, not obfuscation. | ai | |
| source-diff | obfuscated-file:src-noconflict/theme-cloud_editor.js | AI (source-diff): Ace theme file with embedded CSS string literal; standard pattern for all Ace themes, not obfuscation. | ai | |
| source-diff | obfuscated-file:src-min/theme-cloud_editor.js | AI (source-diff): Ace theme file with embedded CSS string literal; standard pattern for all Ace themes, not obfuscation. | ai | |
| source-diff | obfuscated-file:src-min-noconflict/theme-cloud_editor.js | AI (source-diff): Ace theme file with embedded CSS string literal; standard pattern for all Ace themes, not obfuscation. | ai | |
| source-diff | obfuscated-file:src-min-noconflict/theme-cloud_editor_dark.js | AI (source-diff): Ace theme file with embedded CSS string literal; standard pattern for all Ace themes, not obfuscation. | ai | |
| source-diff | obfuscated-file:src-min/theme-cloud_editor_dark.js | AI (source-diff): Ace theme file with embedded CSS string literal; standard pattern for all Ace themes, not obfuscation. | ai | |
| source-diff | obfuscated-file:src/theme-cloud_editor_dark.js | AI (source-diff): Ace theme file with embedded CSS string literal; standard pattern for all Ace themes, not obfuscation. | ai | |
| dependencies | unvetted-dep:ace | AI (dependencies): ace is the upstream source package for ace-builds; this dependency is expected and legitimate for all versions of this package. | ai | |
| source-diff | obfuscated-file:src-min-noconflict/ext-diff.js | AI (source-diff): ace-builds ships minified bundles by design; src-min-noconflict/ contains standard minified output of the Ace editor. | ai | |
| source-diff | obfuscated-file:src-min/mode-clue.js | AI (source-diff): Minified syntax mode file; standard ace-builds output for language modes. | ai | |
| source-diff | obfuscated-file:src-min-noconflict/mode-clue.js | AI (source-diff): Minified syntax mode file; standard ace-builds output for language modes. | ai | |
| source-diff | obfuscated-file:src/ext-diff.js | AI (source-diff): AMD-wrapped bundle with long lines; standard ace-builds format for src/ directory. | ai | |
| source-diff | obfuscated-file:src-noconflict/ext-diff.js | AI (source-diff): AMD-wrapped bundle with long lines; standard ace-builds format for src-noconflict/ directory. | ai | |
| source-diff | obfuscated-file:src-min/ext-diff.js | AI (source-diff): ace-builds ships minified bundles by design; src-min/ contains standard minified output of the Ace editor. | ai | |
| source-diff | obfuscated-file:src-min-noconflict/mode-basic.js | AI (source-diff): ace-builds ships pre-minified editor bundles in src-min-noconflict/; minified mode files are expected. | ai | |
| source-diff | obfuscated-file:src-min/mode-basic.js | AI (source-diff): ace-builds ships pre-minified editor bundles in src-min/; minified mode files are expected. | ai | |
| source-diff | obfuscated-file:src-noconflict/theme-github_light_default.js | AI (source-diff): Ace theme file with inlined CSS string — standard build output pattern for ace-builds, not obfuscation. | ai | |
| source-diff | obfuscated-file:src/theme-github_light_default.js | AI (source-diff): Ace theme file with inlined CSS string — standard build output pattern for ace-builds, not obfuscation. | ai | |
| source-diff | obfuscated-file:src-min/theme-github_light_default.js | AI (source-diff): Ace theme file with inlined CSS string — standard build output pattern for ace-builds, not obfuscation. | ai | |
| source-diff | obfuscated-file:src-min-noconflict/theme-github_light_default.js | AI (source-diff): Ace theme file with inlined CSS string — standard build output pattern for ace-builds, not obfuscation. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): ace-builds uses new Function() in its AMD-style worker module loader — standard pattern for browser-bundled code editor workers, not malicious. | ai | |
| provenance | no-provenance | AI (provenance): Established package (3823 days, 1.3M weekly downloads, 138 versions) without Sigstore provenance — acceptable for packages predating widespread provenance adoption. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in worker-coffee.js is part of the CoffeeScript compiler/parser, a legitimate use case for a code editor supporting CoffeeScript syntax. | ai | |
| semgrep | semgrep:etc-passwd-access | AI (semgrep): False positive: Ace editor snippets/syntax definitions contain /etc/passwd as example content, not credential harvesting. | ai | |
| provenance | publisher-changed | AI (provenance): Transition from nightwing (long-time Ace maintainer) to GitHub Actions CI/CD publishing with SLSA provenance; legitimate modernization. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): False positive: Ace's internal module loader uses dynamic require for its build dependency resolution system. | ai | |
| semgrep | semgrep:dll-injection-apis | AI (semgrep): False positive: Ace's AutoHotKey syntax mode references DLL APIs as language keywords, not actual injection code. | ai |
Versions (showing 39 of 139)
| Version | Deps | Published |
|---|---|---|
| 1.9.3 | 0 / 0 | |
| 1.9.2 | 0 / 0 | |
| 1.9.1 | 0 / 0 | |
| 1.9.0 | 0 / 0 | |
| 1.8.1 | 0 / 0 | |
| 1.8.0 | 0 / 0 | |
| 1.7.1 | 0 / 0 | |
| 1.7.0 | 0 / 0 | |
| 1.6.1 | 0 / 0 | |
| 1.6.0 | 0 / 0 | |
| 1.5.3 | 0 / 0 | |
| 1.5.2 | 0 / 0 | |
| 1.5.1 | 0 / 0 | |
| 1.5.0 | 0 / 0 | |
| 1.4.14 | 0 / 0 | |
| 1.4.13 | 0 / 0 | |
| 1.4.12 | 0 / 0 | |
| 1.4.11 | 0 / 0 | |
| 1.4.10 | 1 / 0 | |
| 1.4.9 | 0 / 0 | |
| 1.4.8 | 0 / 0 | |
| 1.4.7 | 0 / 0 | |
| 1.4.6 | 0 / 0 | |
| 1.4.5 | 0 / 0 | |
| 1.4.4 | 0 / 0 | |
| 1.4.3 | 0 / 0 | |
| 1.4.2 | 0 / 0 | |
| 1.4.1 | 0 / 0 | |
| 1.4.0 | 0 / 0 | |
| 1.3.3 | 0 / 0 | |
| 1.3.2 | 0 / 0 | |
| 1.3.1 | 0 / 0 | |
| 1.3.0 | 0 / 0 | |
| 1.2.9 | 0 / 0 | |
| 1.2.8 | 0 / 0 | |
| 1.2.6 | 0 / 0 | |
| 1.2.5 | 0 / 0 | |
| 1.2.4 | 0 / 0 | |
| 1.2.2 | 0 / 0 |
v1.9.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.