eslint-plugin-import-x — Greenflagged

Import with sanity.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

jounqin

Keywords

eslinteslintplugineslint-plugines6jsnextmodulesimportexport

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:get-tsconfig	AI (dependencies): get-tsconfig is a legitimate, widely-used utility for resolving tsconfig files; its use is appropriate and expected for an ESLint import plugin with TypeScript support.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Established package with 3.4M weekly downloads and strong publisher track record; lack of Sigstore provenance is not a security risk for this package.	ai	2026/04/24
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require in module-require.js is a standard ESLint plugin pattern for resolving modules within ESLint's own module context. Not arbitrary code execution.	ai	2026/04/24
phantom-deps	phantom-dep:eslint-import-resolver-node	AI (phantom-deps): eslint-import-resolver-node is a resolver referenced in config/docs but not directly imported in code — expected pattern for this plugin's resolver architecture.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): Publisher changed from personal account to GitHub Actions CI/CD with SLSA provenance — this is a security improvement, not a risk.	ai	2026/04/23
publish-pattern	dormant-publish	AI (publish-pattern): Mature ESLint plugin with 67 versions; dormancy reflects stability. SLSA provenance confirms legitimate CI/CD publish.	ai	2026/04/23

Versions (showing 51 of 67)

View all versions

Version	Deps	Published
4.16.2	10 / 0	2026-03-11
4.16.1	9 / 0	2025-06-27
4.16.0	9 / 0	2025-06-25
4.15.2	9 / 0	2025-06-11
4.15.1	9 / 0	2025-06-05
4.15.0	9 / 0	2025-05-31
4.14.2	9 / 0	2025-05-31
4.14.1	9 / 0	2025-05-30
4.14.0	10 / 0	2025-05-30
4.13.3	11 / 0	2025-05-26
4.13.2	11 / 0	2025-05-26
4.13.1	11 / 0	2025-05-25
4.13.0	11 / 0	2025-05-25
4.12.2	11 / 0	2025-05-18
4.12.1	11 / 0	2025-05-18
4.12.0	11 / 0	2025-05-18
4.11.1	11 / 0	2025-05-09
4.11.0	11 / 0	2025-04-25
4.10.6	13 / 0	2025-04-20
4.10.5	13 / 0	2025-04-15
4.10.4	13 / 0	2025-04-15
4.10.3	13 / 0	2025-04-13
4.10.2	13 / 0	2025-04-07
4.10.1	13 / 0	2025-04-06
4.10.0	13 / 0	2025-04-01
4.9.4	12 / 0	2025-03-29
4.9.3	12 / 0	2025-03-26
4.9.2	12 / 0	2025-03-25
4.9.1	12 / 0	2025-03-20
4.9.0	11 / 0	2025-03-18
4.8.1	11 / 0	2025-03-18
4.8.0	11 / 0	2025-03-16
4.7.2	12 / 0	2025-03-16
4.7.1	12 / 0	2025-03-15
4.7.0	12 / 71	2025-03-14
4.6.1	13 / 62	2024-12-19
4.6.0	12 / 63	2024-12-19
4.5.1	12 / 63	2024-12-17
4.5.0	11 / 64	2024-12-03
4.4.3	10 / 64	2024-11-20
4.4.2	10 / 64	2024-11-12
4.4.0	10 / 64	2024-10-30
4.3.1	10 / 64	2024-09-29
4.3.0	10 / 64	2024-09-22
4.2.1	10 / 64	2024-09-04
4.2.0	10 / 64	2024-09-04
4.1.1	11 / 64	2024-08-29
4.1.0	11 / 61	2024-08-27
4.0.0	11 / 61	2024-08-26
3.1.0	10 / 55	2024-07-23
3.0.1	11 / 55	2024-07-12

v4.16.2

2 findings

HIGH Publisher changed: jounqin → GitHub Actions (on 2026-03-11) provenance

This version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance