common-tags
a few common utility template tags for ES2015
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:lib/stripIndent/stripIndent.test.js | AI (source-diff): Babel-transpiled output from `babel src -d lib`; long lines are from regenerator/async transforms, not obfuscation. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase from shipping compiled lib/ directory alongside source; standard for Babel-transpiled npm packages. | ai | |
| source-diff | obfuscated-file:lib/tags/tags.js | AI (source-diff): Babel-transpiled output; long lines from standard babel-runtime helpers, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/TemplateTag/TemplateTag.js | AI (source-diff): Babel-transpiled ES2015 output from `babel src -d lib` build step; long lines are typical of Babel output, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/inlineArrayTransformer/inlineArrayTransformer.js | AI (source-diff): Babel-transpiled ES2015 output from `babel src -d lib` build step; long lines are typical of Babel output, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/index.js | AI (source-diff): es/ directory contains standard Babel-transpiled ES module output with readable code and base64 source maps; not obfuscated. | ai | |
| source-diff | obfuscated-file:es/inlineArrayTransformer/inlineArrayTransformer.js | AI (source-diff): Babel-transpiled ES module output; long lines from base64 source maps, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/stripIndentTransformer/stripIndentTransformer.js | AI (source-diff): Babel-transpiled ES module output; long lines from base64 source maps, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/TemplateTag/TemplateTag.js | AI (source-diff): Babel-transpiled ES module output with readable code and inline source maps; long lines are base64 sourceMappingURL. | ai | |
| provenance | publisher-changed | AI (provenance): fatfisz is a listed contributor since before the transition; legitimate maintainer handoff in 2017 with long track record. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): fatfisz added as maintainer is consistent with contributor list and long npm history; legitimate transfer. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance; no CI/CD provenance expected for this era of package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Package ships transpiled dist/es/lib directories as build output; file count reflects normal build artifacts. | ai | |
| source-diff | obfuscated-file:lib/createTag/createTag.js | AI (source-diff): Babel-transpiled CJS output; readable code with comments, not obfuscated. Long lines from transpilation artifacts. | ai | |
| source-diff | obfuscated-file:es/createTag/createTag.js | AI (source-diff): Babel-transpiled ES module output; readable code with comments, not obfuscated. Long lines from transpilation artifacts. | ai |
Versions (showing 24 of 24)
| Version | Deps | Published |
|---|---|---|
| 1.8.2 | 0 / 22 | |
| 1.8.1 | 0 / 22 | |
| 1.8.0 | 0 / 22 | |
| 1.7.2 | 1 / 19 | |
| 1.7.1 | 1 / 20 | |
| 1.7.0 | 1 / 18 | |
| 1.6.0 | 1 / 18 | |
| 1.5.1 | 1 / 18 | |
| 1.5.0 | 1 / 18 | |
| 1.4.0 | 1 / 18 | |
| 1.3.1 | 1 / 17 | |
| 1.3.0 | 1 / 17 | |
| 1.2.2 | 1 / 17 | |
| 1.2.1 | 1 / 16 | |
| 1.2.0 | 1 / 16 | |
| 1.1.2 | 1 / 16 | |
| 1.1.1 | 1 / 15 | |
| 1.1.0 | 1 / 13 | |
| 1.0.0 | 1 / 13 | |
| 0.1.1 | 1 / 12 | |
| 0.1.0 | 1 / 12 | |
| 0.0.3 | 0 / 5 | |
| 0.0.2 | 0 / 5 | |
| 0.0.1 | 0 / 5 |
v1.8.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-05-27. This could indicate a legitimate maintainer transition or an account compromise.
v1.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.0
2 findingsThis version was published by a different npm account than previous versions on 2018-01-09. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
2 findingsThis version was published by a different npm account than previous versions on 2017-11-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.