eslint-plugin-yml — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

ota-meshi

eslinteslintplugineslint-pluginyamlymllint

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:yaml-eslint-parser	AI (dependencies): yaml-eslint-parser is authored by the same maintainer (ota-meshi) and is the core YAML parsing dependency for this plugin. Expected and legitimate.	ai	2026/04/26
dependencies	unvetted-dep:@ota-meshi/ast-token-store	AI (dependencies): @ota-meshi/ast-token-store is authored by the same maintainer and is a core AST utility dependency. Expected and legitimate.	ai	2026/04/26
phantom-deps	phantom-dep:debug	AI (phantom-deps): debug is declared in package.json dependencies and is a well-known logging utility. Minor packaging concern, not a security issue.	ai	2026/04/26

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.