emmet — Greenflagged

Emmet — the essential toolkit for web-developers

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

serge.che

Keywords

emmethtmlcsssnippetscoding

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:lib/utils/math.js	AI (source-diff): Vendored js-expression-eval math parser; UMD wrapper + new Function() for expression compilation is standard, not malicious network+exec.	ai	2026/04/24
typosquat	typosquat.levenshtein:helmet	AI (typosquat): Emmet is a well-established brand predating helmet's popularity; the Levenshtein proximity is coincidental, not impersonation.	ai	2026/04/24
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require iterates over a hardcoded array ['css']; the path is effectively static and not arbitrary module loading.	ai	2026/04/24
phantom-deps	phantom-dep:requirejs	AI (phantom-deps): requirejs is a declared runtime dependency used in AMD build/config files; phantom-dep flag is a false positive for this AMD-based package.	ai	2026/04/24
semgrep	semgrep:eval-usage	AI (semgrep): Used to load user-defined JS configuration/snippet files in emmet.js — expected behavior for a developer toolkit supporting JS-based config, with try/catch error handling.	ai	2026/04/24
npm-metadata	url-dep:lodash	AI (npm-metadata): Points to the emmetio org's own lodash fork on GitHub — consistent with the package's long history and not an external supply-chain risk.	ai	2026/04/24
semgrep	semgrep:new-function-constructor	AI (semgrep): Used in evaluateMath.js to evaluate user-selected math expressions in the editor — a legitimate and documented use case for this developer toolkit.	ai	2026/04/24

Versions (showing 51 of 53)

View all versions

Version	Deps	Published
2.4.11	2 / 8	2024-09-23
2.4.10	2 / 8	2024-09-23
2.4.9	2 / 8	2024-09-23
2.4.8	2 / 8	2024-09-18
2.4.7	2 / 10	2024-03-13
2.4.6	2 / 10	2023-07-31
2.4.5	2 / 10	2023-07-02
2.4.4	2 / 10	2023-05-10
2.4.3	2 / 10	2023-05-02
2.4.2	2 / 9	2023-04-06
2.4.1	2 / 9	2023-03-31
2.4.0	2 / 9	2023-03-31
2.3.6	2 / 10	2022-02-11
2.3.5	2 / 10	2021-12-14
2.3.4	2 / 10	2021-03-21
2.3.3	2 / 10	2021-03-21
2.3.2	2 / 10	2021-02-27
2.3.1	2 / 10	2021-02-12
2.3.0	2 / 10	2020-12-27
2.2.1	2 / 10	2020-11-13
2.2.0	2 / 10	2020-11-12
2.1.6	2 / 10	2020-10-22
2.1.5	2 / 10	2020-10-10
2.1.4	2 / 10	2020-09-28
2.1.2	2 / 10	2020-08-02
2.1.1	2 / 10	2020-06-06
2.1.0	2 / 10	2020-05-27
2.0.2	2 / 10	2020-05-17
2.0.1	2 / 10	2020-05-09
2.0.0	2 / 10	2020-04-14
1.6.3	1 / 8	2017-04-02
1.6.2	1 / 8	2017-02-03
1.6.1	1 / 8	2016-12-15
1.6.0	1 / 8	2016-07-05
1.5.0	1 / 8	2016-06-28
1.4.1	1 / 8	2016-06-28
1.4.0	1 / 8	2016-06-28
1.3.2	0 / 8	2016-01-17
1.3.1	0 / 8	2015-05-08
1.3.0	0 / 8	2015-04-01
1.2.4	0 / 8	2015-03-16
1.2.3	0 / 8	2015-03-15
1.2.2	0 / 8	2015-01-07
1.2.1	0 / 8	2015-01-05
1.2.0	0 / 8	2014-12-22
1.1.7	2 / 4	2014-11-05
1.1.6	2 / 4	2014-05-07
1.1.5	2 / 4	2014-05-05
1.1.4	2 / 4	2014-05-03
1.1.3	2 / 4	2014-05-02
1.1.2	2 / 4	2014-04-27