cspell-lib
A library of useful functions used across various cspell tools.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): False positive: short README is expected for a monorepo library component; 'empty' entry point is a re-export stub, not the actual library. | ai | |
| source-diff | large-new-source-files | AI (source-diff): cspell-lib is an active monorepo package; large file count increases are expected across minor/patch versions due to build output changes and feature additions. | ai | |
| provenance | no-provenance | AI (provenance): Established package from highly trusted publisher; lack of Sigstore is not a disqualifier for mature, well-maintained projects. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dep is @cspell/[email protected], a first-party cspell monorepo package pinned to the same version. Not a suspicious third-party addition. | ai | |
| phantom-deps | phantom-dep:comment-json | AI (phantom-deps): Legitimate phantom dependency; declared in package.json and referenced in config files but not directly imported in source code. | ai | |
| phantom-deps | phantom-dep:fast-equals | AI (phantom-deps): Legitimate phantom dependency; declared in package.json and referenced in config files but not directly imported in source code. | ai | |
| dependencies | unvetted-dep:env-paths | AI (dependencies): env-paths is a well-known, benign utility for OS standard paths. Its use in cspell-lib for locating config/cache directories is expected and legitimate. | ai | |
| phantom-deps | phantom-dep:@cspell/cspell-bundled-dicts | AI (phantom-deps): @cspell/cspell-bundled-dicts is explicitly declared as a runtime dependency in package.json. The phantom-dep finding is a false positive for this package. | ai |
Versions (showing 100 of 341)
| Version | Deps | Published |
|---|---|---|
| 10.0.0 | 23 / 18 | |
| 9.8.0 | 24 / 18 | |
| 9.7.0 | 24 / 18 | |
| 9.6.4 | 24 / 17 | |
| 9.6.3 | 24 / 17 | |
| 9.6.2 | 23 / 17 | |
| 9.6.1 | 23 / 17 | |
| 9.6.0 | 22 / 17 | |
| 9.4.0 | 22 / 15 | |
| 9.3.2 | 22 / 15 | |
| 9.3.1 | 22 / 15 | |
| 9.3.0 | 22 / 15 | |
| 9.2.2 | 22 / 15 | |
| 9.2.1 | 24 / 14 | |
| 9.2.0 | 24 / 14 | |
| 9.1.5 | 24 / 14 | |
| 9.1.3 | 24 / 14 | |
| 9.1.2 | 24 / 14 | |
| 9.1.1 | 24 / 14 | |
| 9.1.0 | 24 / 14 | |
| 9.0.2 | 24 / 14 | |
| 9.0.1 | 24 / 14 | |
| 9.0.0 | 24 / 14 | |
| 8.19.4 | 24 / 14 | |
| 8.19.3 | 24 / 14 | |
| 8.19.2 | 24 / 14 | |
| 8.19.1 | 24 / 14 | |
| 8.19.0 | 24 / 14 | |
| 8.18.1 | 24 / 14 | |
| 8.18.0 | 24 / 14 | |
| 8.17.5 | 24 / 14 | |
| 8.17.4 | 24 / 14 | |
| 8.17.3 | 24 / 14 | |
| 8.17.2 | 24 / 14 | |
| 8.17.1 | 24 / 14 | |
| 8.17.0 | 24 / 14 | |
| 8.16.1 | 24 / 14 | |
| 8.16.0 | 24 / 14 | |
| 8.15.7 | 24 / 14 | |
| 8.15.6 | 24 / 14 | |
| 8.15.5 | 24 / 14 | |
| 8.15.4 | 24 / 14 | |
| 8.15.3 | 24 / 14 | |
| 8.15.2 | 24 / 14 | |
| 8.15.1 | 24 / 14 | |
| 8.15.0 | 24 / 14 | |
| 8.14.4 | 24 / 14 | |
| 8.14.3 | 24 / 14 | |
| 8.14.2 | 24 / 14 | |
| 8.14.1 | 24 / 14 | |
| 8.13.3 | 23 / 14 | |
| 8.13.2 | 23 / 14 | |
| 8.13.1 | 23 / 14 | |
| 8.13.0 | 23 / 13 | |
| 8.12.1 | 23 / 13 | |
| 8.11.0 | 23 / 13 | |
| 8.10.4 | 23 / 13 | |
| 8.10.2 | 23 / 13 | |
| 8.10.1 | 23 / 13 | |
| 8.10.0 | 23 / 13 | |
| 8.9.1 | 23 / 13 | |
| 8.9.0 | 23 / 13 | |
| 8.8.4 | 22 / 13 | |
| 8.8.3 | 22 / 13 | |
| 8.8.2 | 22 / 13 | |
| 8.8.1 | 22 / 13 | |
| 8.8.0 | 21 / 12 | |
| 8.7.0 | 21 / 12 | |
| 8.6.1 | 21 / 12 | |
| 8.6.0 | 21 / 12 | |
| 8.5.0 | 21 / 12 | |
| 8.4.1 | 21 / 12 | |
| 8.4.0 | 21 / 12 | |
| 8.3.2 | 21 / 11 | |
| 8.3.1 | 21 / 11 | |
| 8.3.0 | 21 / 11 | |
| 8.2.4 | 21 / 11 | |
| 8.2.3 | 21 / 11 | |
| 8.2.1 | 21 / 11 | |
| 8.2.0 | 21 / 11 | |
| 8.1.3 | 21 / 11 | |
| 8.1.2 | 21 / 11 | |
| 8.1.1 | 21 / 11 | |
| 8.1.0 | 21 / 11 | |
| 8.0.0 | 22 / 11 | |
| 7.3.9 | 22 / 11 | |
| 7.3.8 | 22 / 11 | |
| 7.3.7 | 22 / 11 | |
| 7.3.6 | 22 / 11 | |
| 7.3.5 | 22 / 11 | |
| 7.3.4 | 22 / 11 | |
| 7.3.3 | 22 / 11 | |
| 7.3.2 | 22 / 11 | |
| 7.3.1 | 22 / 11 | |
| 7.3.0 | 22 / 11 | |
| 7.2.0 | 22 / 11 | |
| 7.1.1 | 21 / 11 | |
| 7.0.2 | 21 / 11 | |
| 7.0.1 | 21 / 11 | |
| 7.0.0 | 21 / 11 |
v10.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.6.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.6.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.6.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.6.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.3.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.3.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.2.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.2.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.1.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.1.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.1.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.19.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.19.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.19.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.19.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.19.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.18.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.18.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.17.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.17.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.17.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.17.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.17.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.17.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.16.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.16.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.15.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.15.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.15.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.15.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.15.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.15.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.15.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.14.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.14.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.14.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.14.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.13.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.13.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.10.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.10.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.8.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.8.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.8.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.8.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.