eslint-plugin-import
Import with sanity.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:lib/rules/group-exports.js | AI (source-diff): Standard Babel-transpiled ESLint rule with _interopRequireDefault helpers; not obfuscated. | ai | |
| source-diff | obfuscated-file:lib/rules/no-useless-path-segments.js | AI (source-diff): Standard Babel-transpiled ESLint rule code; long lines from build tooling, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/rules/no-default-export.js | AI (source-diff): Readable ESLint rule with inline base64 source map from Babel; standard build output, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/rules/no-cycle.js | AI (source-diff): Babel-transpiled output with _slicedToArray helper; long lines are standard Babel compilation artifacts, not obfuscation. | ai | |
| dependencies | unvetted-dep:lodash.find | AI (dependencies): lodash.find is a standard, well-known utility module. Its use in this long-established ESLint plugin is routine and poses no meaningful risk. | ai | |
| source-diff | obfuscated-file:lib/rules/no-relative-packages.js | AI (source-diff): Babel-transpiled ESLint rule file; long lines are Babel CommonJS interop output, not obfuscation. Content is legitimate rule logic consistent with the package's purpose. | ai | |
| source-diff | obfuscated-file:lib/rules/no-import-module-exports.js | AI (source-diff): Babel-transpiled ESLint rule file; long lines are Babel CommonJS interop output, not obfuscation. Content is legitimate rule logic consistent with the package's purpose. | ai | |
| source-diff | obfuscated-file:lib/rules/dynamic-import-chunkname.js | AI (source-diff): Long lines are Babel CommonJS interop output from the package's documented build process, not obfuscation. Code is clearly a legitimate ESLint rule implementation. | ai | |
| source-diff | obfuscated-file:lib/rules/no-relative-parent-imports.js | AI (source-diff): Long lines are Babel CommonJS interop output from the package's documented build process, not obfuscation. Code is clearly a legitimate ESLint rule implementation. | ai | |
| provenance | publisher-changed | AI (provenance): benmosher→ljharb is a documented, legitimate maintainer transition. ljharb is a highly trusted npm ecosystem maintainer with thousands of approved packages. | ai | |
| source-diff | obfuscated-file:lib/rules/no-unused-modules.js | AI (source-diff): Long lines are Babel CommonJS interop output from the package's documented build process, not obfuscation. Code is clearly a legitimate ESLint rule implementation. | ai | |
| phantom-deps | phantom-dep:babylon | AI (phantom-deps): babylon is the Babel parser referenced as a default string in config; used as a configurable parser name, not a missing dependency concern. | ai | |
| source-diff | obfuscated-file:lib/rules/export.js | AI (source-diff): File is Babel-transpiled ES6 using babel-runtime helpers — a standard pattern for this era. Long lines are from transpiler output, not obfuscation. Logic is readable and benign. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large file count increase is consistent with a known refactoring (extracting eslint-import-core); not indicative of injected/bundled malicious code for this established plugin. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in eslint-plugin-import is used to resolve ESLint's own module path — a well-understood, intentional pattern for this plugin. | ai | |
| source-diff | obfuscated-file:lib/rules/no-anonymous-default-export.js | AI (source-diff): File contains readable, well-structured ESLint rule code. Long lines are due to dense object literals with string values, not obfuscation. False positive for this package. | ai | |
| dependencies | unvetted-dep:lodash.cond | AI (dependencies): lodash.cond is a standard lodash utility module; its use in an ESLint plugin is benign and expected across all versions of this package. | ai | |
| dependencies | unvetted-dep:contains-path | AI (dependencies): contains-path is a small, benign path-checking utility appropriate for an ESLint import plugin; no security concern across versions. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance by years; absence of attestation is expected and not a risk signal for this package. | ai | |
| source-diff | obfuscated-file:lib/core/fsWalk.js | AI (source-diff): File is Babel-compiled CJS output (standard _interopRequireDefault pattern), not malicious obfuscation. This package builds src/ to lib/ via Babel as part of prepublishOnly. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @rtsao/scc is used for SCC graph algorithm (circular dep detection) and string.prototype.trimend is a standard ES polyfill; both are legitimate additions by a trusted maintainer. | ai | |
| source-diff | obfuscated-file:lib/exportMap/visitor.js | AI (source-diff): Babel 6 transpiled output. Long lines are build artifacts, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/exportMap/typescript.js | AI (source-diff): Babel 6 transpiled output. Long lines are build artifacts, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/exportMap/specifier.js | AI (source-diff): Babel 6 transpiled output. Long lines are build artifacts, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/scc.js | AI (source-diff): Babel 6 transpiled output. Code is semantically readable StronglyConnectedComponents implementation with no malicious indicators. | ai | |
| source-diff | obfuscated-file:lib/exportMap/namespace.js | AI (source-diff): Babel 6 transpiled output. Code is semantically readable Namespace class implementation with no malicious indicators. | ai | |
| source-diff | obfuscated-file:lib/exportMap/index.js | AI (source-diff): Babel 6 transpiled output. Code is semantically readable ExportMap class implementation with no malicious indicators. | ai | |
| source-diff | obfuscated-file:lib/rules/enforce-node-protocol-usage.js | AI (source-diff): Babel 6 transpiled output. Code is semantically readable ESLint rule logic with no malicious indicators. | ai | |
| source-diff | obfuscated-file:lib/exportMap/doc.js | AI (source-diff): Babel 6 transpiled output. Code is semantically readable ESLint plugin logic with no malicious indicators. | ai | |
| source-diff | obfuscated-file:lib/exportMap/childContext.js | AI (source-diff): Babel 6 transpiled output. Code is semantically readable ESLint plugin logic with no malicious indicators. | ai | |
| source-diff | obfuscated-file:lib/exportMap/captureDependency.js | AI (source-diff): Babel 6 transpiled output. Code is semantically readable ESLint plugin logic with no malicious indicators. | ai | |
| source-diff | obfuscated-file:lib/exportMap/builder.js | AI (source-diff): lib/ is Babel 6 transpiled output (classic _createClass/_interopRequireDefault pattern). Long lines are an artifact of the build process, not obfuscation. | ai | |
| dependencies | unvetted-dep:has | AI (dependencies): has is a well-known, legitimate utility package. Its use in eslint-plugin-import is benign and stable across versions. | ai | |
| phantom-deps | phantom-dep:resolve | AI (phantom-deps): resolve is a declared runtime dependency used in resolver config files, not directly imported in JS. This is expected behavior for an ESLint plugin and stable across versions. | ai | |
| phantom-deps | phantom-dep:eslint-import-resolver-node | AI (phantom-deps): eslint-import-resolver-node is referenced in config files as the default resolver; this is expected behavior for this plugin, not a phantom dependency issue. | ai | |
| dependencies | unvetted-dep:@rtsao/scc | AI (dependencies): @rtsao/scc is a small utility for strongly connected components, used by eslint-plugin-import for cycle detection. Legitimate and stable. | ai | |
| dependencies | unvetted-dep:array.prototype.findlastindex | AI (dependencies): array.prototype.findlastindex is a standard ES shim maintained by ljharb. Legitimate polyfill dependency. | ai | |
| dependencies | unvetted-dep:object.groupby | AI (dependencies): object.groupby is a standard ES shim maintained by ljharb (same publisher). No malicious history. | ai | |
| dependencies | unvetted-dep:eslint-import-resolver-node | AI (dependencies): eslint-import-resolver-node is the default resolver for eslint-plugin-import, a well-known companion package. Legitimate dependency. | ai | |
| dependencies | unvetted-dep:eslint-module-utils | AI (dependencies): eslint-module-utils is a companion package to eslint-plugin-import, maintained by the same org. Stable legitimate dependency. | ai |
Versions (showing 100 of 115)
| Version | Deps | Published |
|---|---|---|
| 2.32.0 | 19 / 46 | |
| 2.31.0 | 19 / 44 | |
| 2.30.0 | 18 / 44 | |
| 2.29.1 | 17 / 42 | |
| 2.29.0 | 17 / 42 | |
| 2.28.1 | 17 / 42 | |
| 2.28.0 | 18 / 40 | |
| 2.27.5 | 15 / 40 | |
| 2.27.4 | 15 / 40 | |
| 2.27.3 | 14 / 41 | |
| 2.27.2 | 14 / 41 | |
| 2.27.1 | 14 / 41 | |
| 2.27.0 | 13 / 42 | |
| 2.26.0 | 13 / 41 | |
| 2.25.4 | 13 / 41 | |
| 2.25.3 | 13 / 40 | |
| 2.25.2 | 13 / 40 | |
| 2.25.1 | 13 / 40 | |
| 2.25.0 | 13 / 40 | |
| 2.24.2 | 15 / 41 | |
| 2.24.1 | 15 / 41 | |
| 2.24.0 | 15 / 41 | |
| 2.23.4 | 15 / 40 | |
| 2.23.3 | 15 / 40 | |
| 2.23.2 | 16 / 40 | |
| 2.23.1 | 16 / 39 | |
| 2.23.0 | 16 / 39 | |
| 2.22.1 | 13 / 39 | |
| 2.22.0 | 13 / 39 | |
| 2.21.2 | 13 / 39 | |
| 2.21.1 | 13 / 39 | |
| 2.21.0 | 13 / 39 | |
| 2.20.2 | 12 / 33 | |
| 2.20.1 | 12 / 30 | |
| 2.19.1 | 12 / 28 | |
| 2.19.0 | 12 / 28 | |
| 2.18.2 | 11 / 28 | |
| 2.18.1 | 11 / 28 | |
| 2.18.0 | 11 / 28 | |
| 2.17.3 | 11 / 28 | |
| 2.17.2 | 11 / 28 | |
| 2.17.1 | 11 / 28 | |
| 2.17.0 | 11 / 28 | |
| 2.16.0 | 10 / 24 | |
| 2.15.0 | 10 / 24 | |
| 2.14.0 | 10 / 24 | |
| 2.13.0 | 10 / 24 | |
| 2.12.0 | 10 / 24 | |
| 2.11.0 | 10 / 26 | |
| 2.10.0 | 10 / 26 | |
| 2.8.0 | 10 / 24 | |
| 2.7.0 | 10 / 24 | |
| 2.6.1 | 10 / 24 | |
| 2.6.0 | 10 / 24 | |
| 2.5.0 | 10 / 24 | |
| 2.2.0 | 10 / 22 | |
| 2.1.0 | 10 / 22 | |
| 2.0.1 | 10 / 22 | |
| 2.0.0 | 10 / 22 | |
| 1.16.0 | 16 / 21 | |
| 1.15.0 | 15 / 21 | |
| 1.14.0 | 14 / 21 | |
| 1.13.0 | 14 / 19 | |
| 1.12.0 | 14 / 19 | |
| 1.11.1 | 14 / 19 | |
| 1.11.0 | 13 / 19 | |
| 1.10.3 | 13 / 18 | |
| 1.10.2 | 14 / 18 | |
| 1.10.0 | 14 / 18 | |
| 1.9.2 | 13 / 18 | |
| 1.9.1 | 13 / 18 | |
| 1.9.0 | 14 / 18 | |
| 1.8.1 | 12 / 18 | |
| 1.6.1 | 11 / 18 | |
| 1.6.0 | 11 / 18 | |
| 1.5.0 | 6 / 18 | |
| 1.4.0 | 6 / 18 | |
| 1.3.0 | 3 / 20 | |
| 1.2.0 | 3 / 20 | |
| 1.1.0 | 3 / 20 | |
| 1.0.4 | 3 / 20 | |
| 1.0.3 | 3 / 20 | |
| 1.0.2 | 3 / 20 | |
| 1.0.1 | 3 / 20 | |
| 1.0.0 | 3 / 20 | |
| 0.12.0 | 3 / 11 | |
| 0.10.0 | 3 / 8 | |
| 0.9.1 | 3 / 7 | |
| 0.8.1 | 3 / 6 | |
| 0.8.0 | 3 / 6 | |
| 0.7.9 | 3 / 6 | |
| 0.7.8 | 3 / 6 | |
| 0.7.7 | 3 / 7 | |
| 0.7.5 | 6 / 7 | |
| 0.7.4 | 7 / 6 | |
| 0.7.3 | 7 / 6 | |
| 0.7.2 | 6 / 6 | |
| 0.7.1 | 6 / 5 | |
| 0.7.0 | 5 / 6 | |
| 0.6.0 | 5 / 6 |
v2.31.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.30.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.29.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.29.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.28.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.28.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.27.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.27.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.27.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.27.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.26.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.25.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.25.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.25.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.25.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.25.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.24.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.24.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.24.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.23.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.23.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.23.2
7 findingsThis version was published by a different npm account than previous versions on 2021-05-15. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.1
7 findingsThis version was published by a different npm account than previous versions on 2021-05-15. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.0
7 findingsThis version was published by a different npm account than previous versions on 2021-05-14. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.1
5 findingsThis version was published by a different npm account than previous versions on 2020-09-27. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.0
5 findingsThis version was published by a different npm account than previous versions on 2020-06-27. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.21.2
5 findingsThis version was published by a different npm account than previous versions on 2020-06-10. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.21.1
5 findingsThis version was published by a different npm account than previous versions on 2020-06-08. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.21.0
5 findingsThis version was published by a different npm account than previous versions on 2020-06-08. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.20.2
5 findingsThis version was published by a different npm account than previous versions on 2020-03-29. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.20.1
5 findingsThis version was published by a different npm account than previous versions on 2020-02-02. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.19.1
5 findingsThis version was published by a different npm account than previous versions on 2019-12-09. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.19.0
5 findingsThis version was published by a different npm account than previous versions on 2019-12-09. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.18.2
5 findingsThis version was published by a different npm account than previous versions on 2019-07-19. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.18.1
5 findingsThis version was published by a different npm account than previous versions on 2019-07-19. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.18.0
5 findingsThis version was published by a different npm account than previous versions on 2019-06-24. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.17.3
5 findingsThis version was published by a different npm account than previous versions on 2019-05-24. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.17.2
5 findingsThis version was published by a different npm account than previous versions on 2019-04-16. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.17.1
5 findingsThis version was published by a different npm account than previous versions on 2019-04-13. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.17.0
5 findingsThis version was published by a different npm account than previous versions on 2019-04-13. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.16.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.15.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.14.0
4 findingsThis version was published by a different npm account than previous versions on 2018-08-13. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.13.0
3 findingsThis version was published by a different npm account than previous versions on 2018-06-24. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.0
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.10.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.