eslint-plugin-jsx-a11y — Greenflagged

Static AST checker for accessibility rules on JSX elements.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ljharblencionijessebeachevcohen

Keywords

eslinteslintplugineslint-plugina11yaccessibilityjsx

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	source-size-tripled	AI (source-diff): Size increase reflects legitimate addition of new ESLint accessibility rules in an early version of this well-established plugin; consistent with organic feature growth.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance by years; absence is expected for this vintage and not a security concern given strong publisher track record.	ai	2026/04/22
source-diff	large-new-source-files	AI (source-diff): Early-stage ESLint plugin adding many rule files is expected growth, not injected code. Package has clean build pipeline with no install scripts or obfuscation.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): lencioni is a known OSS contributor and documented collaborator on this project; addition is consistent with legitimate team expansion.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): object-assign is a ubiquitous, well-vetted polyfill with no malicious history; benign addition for this package.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): ljharb is a highly trusted npm publisher (1408 approved packages, 4617 days active). The transition from evcohen to ljharb in 2017 is a documented, legitimate maintainer handoff.	ai	2026/04/22
semgrep	semgrep:child-process-import	AI (semgrep): child_process is used in scripts/create-rule.js, a developer scaffolding script not executed at install or runtime.	ai	2026/04/22
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require is in test files only, used to load rule modules by name for ESLint plugin testing. Not a runtime risk.	ai	2026/04/21
phantom-deps	phantom-dep:ast-types-flow	AI (phantom-deps): ast-types-flow is a legitimate runtime dependency declared in package.json; phantom-dep flag is a false positive for this package.	ai	2026/04/21

Versions (showing 51 of 84)

View all versions

Version	Deps	Published
6.10.2	15 / 28	2024-10-26
6.10.1	16 / 28	2024-10-21
6.10.0	16 / 29	2024-09-04
6.9.0	16 / 31	2024-06-20
6.8.0	16 / 30	2023-11-01
6.7.1	16 / 29	2023-01-12
6.7.0	16 / 29	2023-01-09
6.6.1	13 / 28	2022-07-21
6.6.0	13 / 28	2022-06-24
6.5.1	12 / 24	2021-11-10
6.5.0	12 / 23	2021-11-10
6.4.1	11 / 22	2020-10-26
6.4.0	11 / 22	2020-10-26
6.3.1	11 / 22	2020-06-19
6.3.0	11 / 22	2020-06-18
6.2.3	9 / 22	2019-07-01
6.2.2	8 / 23	2019-06-30
6.2.1	8 / 25	2019-02-03
6.2.0	8 / 25	2019-01-25
6.1.2	8 / 25	2018-10-05
6.1.1	8 / 24	2018-07-13
6.1.0	8 / 24	2018-07-03
6.0.3	7 / 24	2017-12-13
6.0.2	7 / 22	2017-06-29
6.0.1	7 / 22	2017-06-28
6.0.0	7 / 22	2017-06-27
5.1.1	7 / 22	2017-07-04
5.1.0	7 / 20	2017-06-27
5.0.3	7 / 20	2017-05-16
5.0.2	7 / 20	2017-05-16
5.0.1	7 / 20	2017-05-07
5.0.0	6 / 20	2017-05-05
4.0.0	6 / 20	2017-02-04
3.0.2	3 / 12	2016-12-14
3.0.1	3 / 12	2016-11-07
2.2.3	3 / 11	2016-10-08
2.2.2	3 / 11	2016-09-12
2.2.1	3 / 11	2016-08-31
2.2.0	3 / 11	2016-08-26
2.1.0	3 / 11	2016-08-10
2.0.1	3 / 11	2016-07-13
2.0.0	3 / 11	2016-07-12
1.5.5	3 / 11	2016-07-06
1.5.4	3 / 11	2016-07-06
1.5.3	3 / 11	2016-06-16
1.5.2	3 / 11	2016-06-16
1.5.1	3 / 11	2016-06-16
1.5.0	3 / 11	2016-06-16
1.4.2	3 / 11	2016-06-10
1.4.1	3 / 11	2016-06-10
1.4.0	3 / 9	2016-06-10