eslint-config-next — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

timneutkenstimervercel-release-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	dormant-publish	AI (publish-pattern): Vercel's official release bot with SLSA provenance; dormancy reflects version gap between Next.js 15 and 16, not account takeover.	ai	2026/04/28
publish-pattern	new-deps-added	AI (publish-pattern): globals and typescript-eslint are well-established packages replacing older @typescript-eslint/* split packages; expected migration.	ai	2026/04/28
source-diff	source-size-tripled	AI (source-diff): Size increase reflects new build pipeline (swc compiled dist) and additional config exports; consistent with the refactor scope.	ai	2026/04/28
phantom-deps	phantom-dep:eslint-import-resolver-node	AI (phantom-deps): Resolver plugins are referenced in ESLint config objects, not imported directly; stable false positive for this package.	ai	2026/04/28
phantom-deps	phantom-dep:eslint-import-resolver-typescript	AI (phantom-deps): Same as eslint-import-resolver-node; config-referenced, not directly imported.	ai	2026/04/28
phantom-deps	phantom-dep:eslint-plugin-react	AI (phantom-deps): ESLint plugins referenced in config, not direct imports; stable pattern for shareable configs.	ai	2026/04/28
phantom-deps	phantom-dep:@typescript-eslint/eslint-plugin	AI (phantom-deps): ESLint plugins referenced in config, not direct imports; stable pattern for shareable configs.	ai	2026/04/28
phantom-deps	phantom-dep:eslint-plugin-import	AI (phantom-deps): ESLint plugins referenced in config, not direct imports; stable pattern for shareable configs.	ai	2026/04/28
phantom-deps	phantom-dep:eslint-plugin-jsx-a11y	AI (phantom-deps): ESLint plugins referenced in config, not direct imports; stable pattern for shareable configs.	ai	2026/04/28
phantom-deps	phantom-dep:@next/eslint-plugin-next	AI (phantom-deps): Framework-scoped plugin loaded by convention; stable for Next.js config.	ai	2026/04/28
phantom-deps	phantom-dep:eslint-plugin-react-hooks	AI (phantom-deps): ESLint plugins referenced in config, not direct imports; stable pattern for shareable configs.	ai	2026/04/28

Versions (showing 57 of 57)

Version	Deps	Published
16.2.5	9 / 3	2026-05-06
16.2.4	9 / 3	2026-04-15
16.2.3	9 / 3	2026-04-08
16.2.2	9 / 3	2026-04-01
16.2.1	9 / 3	2026-03-20
16.2.0	9 / 3	2026-03-18
16.1.7	9 / 3	2026-03-16
16.1.6	9 / 3	2026-01-27
16.1.5	9 / 3	2026-01-26
16.1.4	9 / 3	2026-01-19
16.1.3	9 / 3	2026-01-16
16.1.2	9 / 3	2026-01-14
16.1.1	9 / 3	2025-12-22
16.1.0	9 / 3	2025-12-18
16.0.11	9 / 3	2026-01-26
16.0.10	9 / 3	2025-12-11
16.0.9	9 / 3	2025-12-11
16.0.8	9 / 3	2025-12-08
16.0.7	9 / 3	2025-12-03
16.0.6	9 / 3	2025-11-30
16.0.5	9 / 3	2025-11-26
16.0.4	9 / 3	2025-11-24
16.0.3	9 / 3	2025-11-13
16.0.2	9 / 3	2025-11-12
16.0.1	9 / 3	2025-10-28
16.0.0	9 / 3	2025-10-22
15.5.15	10 / 0	2026-04-08
15.5.14	10 / 0	2026-03-19
15.5.13	10 / 0	2026-03-16
15.5.12	10 / 0	2026-02-04
15.5.11	10 / 0	2026-01-28
15.5.10	10 / 0	2026-01-26
15.5.9	10 / 0	2025-12-11
15.5.8	10 / 0	2025-12-11
15.5.7	10 / 0	2025-12-03
15.4.11	10 / 0	2026-01-26
15.4.10	10 / 0	2025-12-11
15.4.9	10 / 0	2025-12-11
15.4.8	10 / 0	2025-12-03
15.3.9	10 / 0	2026-01-26
15.3.8	10 / 0	2025-12-11
15.3.7	10 / 0	2025-12-11
15.3.6	10 / 0	2025-12-03
15.2.9	10 / 0	2026-01-26
15.2.8	10 / 0	2025-12-11
15.2.7	10 / 0	2025-12-11
15.2.6	10 / 0	2025-12-03
15.1.12	10 / 0	2026-01-26
15.1.11	10 / 0	2025-12-11
15.1.10	10 / 0	2025-12-11
15.1.9	10 / 0	2025-12-03
15.0.8	10 / 0	2026-01-26
15.0.7	10 / 0	2025-12-11
15.0.6	10 / 0	2025-12-11
15.0.5	10 / 0	2025-12-03
14.2.35	10 / 0	2025-12-11
14.2.34	10 / 0	2025-12-11

v16.2.5

2 findings

HIGH Publisher changed: vercel-release-bot → GitHub Actions (on 2026-05-06) provenance

This version was published by a different npm account than previous versions on 2026-05-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance