coffee-script — Greenflagged

Unfancy JavaScript

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

geoffreyboothjashkenaslydellmichaelficarra

Keywords

javascriptlanguagecoffeescriptcompiler

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
install-scripts	install-script:install	AI (install-scripts): Early CoffeeScript version (2010) used `sudo bin/cake install` as its build flow; this is a historical artifact of the canonical CoffeeScript compiler, not malicious.	ai	2026/04/24
maintainer-change	maintainer-takeover	AI (maintainer-change): Legitimate transfer from jashkenas to michaelficarra (well-known CoffeeScript co-maintainer) in 2014; widely documented.	ai	2026/04/24
maintainer-change	maintainer-removed	AI (maintainer-change): jashkenas removal is part of the documented 2014 maintainer transition to michaelficarra; not a hijack.	ai	2026/04/24
source-diff	net-exec-file:lib/coffee-script/browser.js	AI (source-diff): CoffeeScript's browser module loads <script type='text/coffeescript'> tags via XHR and compiles/evals them. This is the documented browser compiler, not a dropper.	ai	2026/04/24
source-diff	obfuscated-file:lib/coffee-script/parser.js	AI (source-diff): Jison-generated parser with long grammar table lines. Machine-generated parser output is expected for CoffeeScript; not obfuscation.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): geoffreybooth is a documented CoffeeScript maintainer; this is a legitimate project handoff.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): Legitimate maintainer transition from lydell to geoffreybooth, a known CoffeeScript core maintainer since 2017.	ai	2026/04/24
source-diff	net-exec-file:lib/browser.js	AI (source-diff): CoffeeScript's browser runtime loads <script type='text/coffeescript'> tags via XHR and compiles/evals them. This is the documented in-browser compiler behavior, not a dropper.	ai	2026/04/24
source-diff	obfuscated-file:lib/parser.js	AI (source-diff): Jison-generated parser with long grammar table lines. Standard output from parser generators, not obfuscation. Stable for all versions of coffee-script.	ai	2026/04/24
semgrep	semgrep:child-process-import	AI (semgrep): The coffee CLI tool uses child_process to spawn processes, which is standard and expected behavior for a command-line compiler.	ai	2026/04/23
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance by many years; absence is expected and not a risk signal for this established package.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require implements the --require CLI flag for pre-loading modules; this is a documented, intentional feature of the coffee CLI.	ai	2026/04/23
semgrep	semgrep:eval-usage	AI (semgrep): CoffeeScript.eval() is a core, documented feature of the CoffeeScript compiler — it compiles CS to JS then evals it. Intrinsic to the package's purpose.	ai	2026/04/23

Versions (showing 45 of 45)

Version	Deps	Published
1.12.7	0 / 6	2017-07-17
1.12.6	0 / 6	2017-05-15
1.12.5	0 / 6	2017-04-10
1.12.4	0 / 6	2017-02-18
1.12.3	0 / 6	2017-01-24
1.12.2	0 / 6	2016-12-16
1.12.1	0 / 5	2016-12-08
1.12.0	0 / 5	2016-12-04
1.11.1	0 / 5	2016-10-02
1.11.0	0 / 5	2016-09-24
1.10.0	0 / 5	2015-09-03
1.9.3	0 / 5	2015-05-27
1.9.2	0 / 5	2015-04-15
1.9.1	0 / 5	2015-02-18
1.9.0	0 / 5	2015-01-29
1.8.0	1 / 5	2014-08-26
1.7.1	1 / 4	2014-01-30
1.7.0	1 / 4	2014-01-28
1.6.3	0 / 2	2013-06-02
1.6.2	0 / 2	2013-03-18
1.6.1	0 / 2	2013-03-04
1.6.0	0 / 2	2013-03-04
1.5.0	0 / 2	2013-02-25
1.4.0	0 / 2	2012-10-23
1.3.3	0 / 2	2012-05-15
1.3.2	0 / 2	2012-05-14
1.3.1	0 / 2	2012-04-10
1.3.0	0 / 2	2012-04-10
1.2.0	0 / 2	2011-12-18
1.1.3	0 / 2	2011-11-08
1.1.2	0 / 0	2011-08-05
1.1.1	0 / 0	2011-05-10
1.1.0	0 / 0	2011-05-01
1.0.1	0 / 0	2011-02-01
1.0.0	0 / 0	2010-12-24
0.9.6	0 / 0	2010-12-24
0.9.5	0 / 0	2010-12-24
0.9.4	0 / 0	2010-12-24
0.9.3	0 / 0	2010-12-24
0.9.2	0 / 0	2010-12-24
0.9.1	0 / 0	2010-12-24
0.9.0	0 / 0	2010-12-24
0.7.2	0 / 0	2010-12-24
0.7.1	0 / 0	2010-12-24
0.7.0	0 / 0	2010-12-24

v1.12.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.12.6

2 findings

HIGH Publisher changed: lydell → geoffreybooth (on 2017-05-15) provenance

This version was published by a different npm account than previous versions on 2017-05-15. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.12.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.12.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.12.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.12.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.12.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.12.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.11.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.11.0

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: jashkenas → lydell (on 2016-09-24) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2016-09-24. This could indicate a legitimate maintainer transition or an account compromise.

v1.10.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.8.0

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: michaelficarra → jashkenas (on 2014-08-26) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2014-08-26. This could indicate a legitimate maintainer transition or an account compromise.

v1.7.1

3 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (jashkenas) were replaced by new maintainers (michaelficarra). This is a strong signal of a potential package hijack and requires careful review.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: jashkenas → michaelficarra (on 2014-01-30) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2014-01-30. This could indicate a legitimate maintainer transition or an account compromise.

v1.7.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.5.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.0

3 findings

HIGH New file with network + code execution: lib/coffee-script/browser.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: lib/coffee-script/parser.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.0

3 findings

HIGH New file with network + code execution: lib/coffee-script/browser.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: lib/coffee-script/parser.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.3

3 findings

HIGH New file with network + code execution: lib/coffee-script/browser.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: lib/coffee-script/parser.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.1

3 findings

HIGH New file with network + code execution: lib/browser.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: lib/parser.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.7.2

2 findings

HIGH Package has 'install' script install-scripts

Script: bin/cake install

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.7.1

2 findings

HIGH Package has 'install' script install-scripts

Script: sudo bin/cake install

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.7.0

2 findings

HIGH Package has 'install' script install-scripts

Script: sudo bin/cake install

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.