coffeelint
Lint your CoffeeScript
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:eval-usage | AI (semgrep): eval(compile(code)) is the canonical CoffeeScript browser execution pattern; inherent to the package's purpose as a CoffeeScript compiler/linter tool. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used in CoffeeScript CLI command.js for spawning compilation processes; standard for a CLI linting tool. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): coffeeify and browserify are well-known build tools used in coffeelint's bundling pipeline; both are phantom deps (not directly imported at runtime). No malicious signal. | ai | |
| phantom-deps | phantom-dep:browserify | AI (phantom-deps): browserify is used in the compile script, not imported at runtime. Minor packaging concern, not a security issue. | ai | |
| install-scripts | install-script:install | AI (install-scripts): Install script only checks for pre-compiled output and falls back to `npm run compile` (CoffeeScript compiler + browserify). No network access or arbitrary code execution; stable build pattern for this package. | ai | |
| phantom-deps | phantom-dep:coffeeify | AI (phantom-deps): coffeeify is used in the compile script, not imported at runtime. Minor packaging concern, not a security issue. | ai | |
| provenance | no-provenance | AI (provenance): Established package predating Sigstore provenance; absence of attestation is expected and not a security risk for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): All dynamic requires in coffeelint use path.join(__dirname/realpathSync(__filename), 'module-name') to load sibling modules — fully controlled, no user input, standard CLI tool pattern. | ai |
Versions (showing 51 of 67)
| Version | Deps | Published |
|---|---|---|
| 2.1.0 | 6 / 2 | |
| 2.0.7 | 6 / 2 | |
| 2.0.6 | 6 / 2 | |
| 2.0.5 | 6 / 2 | |
| 2.0.4 | 8 / 2 | |
| 2.0.3 | 6 / 2 | |
| 2.0.0 | 8 / 2 | |
| 1.16.2 | 6 / 2 | |
| 1.16.0 | 6 / 2 | |
| 1.15.7 | 6 / 2 | |
| 1.15.2 | 6 / 2 | |
| 1.15.1 | 8 / 2 | |
| 1.14.2 | 6 / 2 | |
| 1.14.1 | 6 / 2 | |
| 1.14.0 | 6 / 2 | |
| 1.13.1 | 6 / 2 | |
| 1.12.1 | 6 / 2 | |
| 1.11.0 | 6 / 2 | |
| 1.10.1 | 6 / 2 | |
| 1.10.0 | 6 / 2 | |
| 1.9.7 | 6 / 2 | |
| 1.9.6 | 6 / 2 | |
| 1.9.5 | 6 / 2 | |
| 1.9.4 | 5 / 2 | |
| 1.9.3 | 5 / 2 | |
| 1.9.2 | 5 / 2 | |
| 1.9.0 | 5 / 2 | |
| 1.8.1 | 5 / 2 | |
| 1.7.1 | 5 / 2 | |
| 1.7.0 | 5 / 2 | |
| 1.6.1 | 5 / 2 | |
| 1.6.0 | 5 / 2 | |
| 1.5.7 | 4 / 2 | |
| 1.5.6 | 4 / 2 | |
| 1.5.4 | 6 / 2 | |
| 1.5.2 | 4 / 2 | |
| 1.5.1 | 4 / 2 | |
| 1.5.0 | 4 / 2 | |
| 1.4.1 | 4 / 2 | |
| 1.4.0 | 4 / 2 | |
| 1.3.0 | 3 / 2 | |
| 1.2.0 | 3 / 2 | |
| 1.1.0 | 3 / 2 | |
| 1.0.8 | 3 / 2 | |
| 1.0.2 | 5 / 2 | |
| 1.0.0 | 5 / 2 | |
| 0.6.1 | 5 / 2 | |
| 0.6.0 | 5 / 2 | |
| 0.5.7 | 3 / 2 | |
| 0.5.6 | 3 / 1 | |
| 0.5.5 | 3 / 1 |
v2.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.4
4 findingsScript: cake install
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
4 findingsScript: cake install
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
2 findingsScript: echo 'process.exit(require("fs").existsSync("lib/commandline.js") ? 0 : 1)' | node || npm run compile
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.