← Home

esmangle

npm Repository Homepage

ECMAScript code mangler / minifier

18
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

constellation

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:build/esmangle.js AI (source-diff): build/esmangle.js is a browserified bundle produced by the package's own build script (browserify + esmangle minification). Long lines are expected output for a JS minifier tool, not obfuscation. ai
source-diff source-size-tripled AI (source-diff): Size increase is explained by addition of tmp/ test fixture files and new source files for a minifier tool — consistent with legitimate feature additions. ai
source-diff obfuscated-file:lib/common.js AI (source-diff): esmangle is a minifier; long lines in its source files are expected. The sample shows legitimate BSD-licensed UMD wrapper code, not malicious obfuscation. ai
source-diff obfuscated-file:lib/esprima.js AI (source-diff): lib/esprima.js is a bundled copy of the esprima parser with proper BSD copyright headers. Long lines are from minification, not obfuscation. Expected for this tool. ai
phantom-deps phantom-dep:esprima AI (phantom-deps): esprima is bundled directly as lib/esprima.js and loaded via dynamic require; not imported as a module in the traditional sense. Stable false positive for this package. ai
source-diff net-exec-file:tmp/k0.js AI (source-diff): jQuery test fixture in tmp/; network+exec patterns are jQuery internals. ai
source-diff obfuscated-file:tmp/l.js AI (source-diff): Minified jQuery test fixture; long lines are expected minifier output. ai
source-diff net-exec-file:tmp/l.js AI (source-diff): jQuery test fixture in tmp/; network+exec patterns are jQuery internals. ai
source-diff net-exec-file:tmp/h1.js AI (source-diff): jQuery test fixture in tmp/; network+exec patterns are jQuery internals. ai
source-diff net-exec-file:tmp/l0.js AI (source-diff): jQuery test fixture in tmp/; network+exec patterns are jQuery internals. ai
source-diff net-exec-file:tmp/l2.js AI (source-diff): jQuery test fixture in tmp/; network+exec patterns are jQuery internals. ai
source-diff net-exec-file:tmp/pretty.js AI (source-diff): jQuery test fixture in tmp/; network+exec patterns are jQuery internals. ai
source-diff large-new-source-files AI (source-diff): esmangle is a JS minifier; adding many test fixture files (jQuery variants) is expected behavior for this tool. ai
source-diff net-exec-file:tmp/h3.js AI (source-diff): tmp/ files are jQuery test fixtures for the esmangle minifier; network+exec patterns are jQuery's own AJAX/eval-JSON internals, not malware. ai
source-diff net-exec-file:tmp/i2.js AI (source-diff): jQuery 1.8.0 test fixture in tmp/; network+exec patterns are standard jQuery internals. ai
source-diff obfuscated-file:tmp/j.js AI (source-diff): Minified jQuery test fixture; long lines are expected output of the esmangle minifier tool. ai
source-diff net-exec-file:tmp/j.js AI (source-diff): Minified jQuery test fixture in tmp/; network+exec patterns are jQuery internals. ai
source-diff net-exec-file:tmp/h2.js AI (source-diff): jQuery test fixture in tmp/; network+exec patterns are jQuery internals. ai
source-diff obfuscated-file:tmp/k.js AI (source-diff): Minified jQuery test fixture; long lines are expected minifier output. ai
source-diff net-exec-file:tmp/k.js AI (source-diff): Minified jQuery test fixture in tmp/; network+exec patterns are jQuery internals. ai
source-diff net-exec-file:tmp/k2.js AI (source-diff): jQuery test fixture in tmp/; network+exec patterns are jQuery internals. ai
semgrep semgrep:new-function-constructor AI (semgrep): esmangle is a JS minifier/mangler; new Function() usage is expected and inherent to code transformation tooling. Not a security risk in this context. ai
license uncommon-license:BSD AI (license): BSD is a well-known permissive license; the uncommon-license flag is a false positive for this package. ai
provenance no-provenance AI (provenance): Package was first published in 2011, long before Sigstore provenance existed. Absence of attestation is expected for packages of this age. ai
semgrep semgrep:child-process-exec AI (semgrep): exec call in Gruntfile.js runs 'node bin/esmangle.js' on source files — legitimate build/test automation, not runtime code. ai
phantom-deps phantom-dep:source-map AI (phantom-deps): source-map is explicitly listed in package.json dependencies; analyzer false positive on import detection pattern. ai
semgrep semgrep:child-process-import AI (semgrep): child_process usage is in Gruntfile.js (dev build tooling) to run the CLI tool on test files — standard build task, not runtime malware. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require in bin/esmangle.js loads the package's own library from a resolved path — standard CLI self-loading pattern, not arbitrary module loading. ai

Versions (showing 18 of 18)

Version Deps Published
1.0.1 8 / 13
1.0.0 8 / 12
0.0.17 7 / 12
0.0.16 7 / 12
0.0.15 6 / 12
0.0.14 6 / 8
0.0.13 6 / 8
0.0.12 6 / 3
0.0.11 6 / 3
0.0.10 6 / 3
0.0.9 6 / 3
0.0.8 6 / 3
0.0.7 6 / 3
0.0.5 4 / 2
0.0.4 2 / 2
0.0.3 2 / 4
0.0.2 2 / 4
0.0.1 2 / 2

v1.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.17

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.16

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.15

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.14

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.13

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.12

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.11

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.10

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.9

2 findings
HIGH New obfuscated file: build/esmangle.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.8

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.7

2 findings
HIGH New obfuscated file: lib/esprima.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.5

2 findings
HIGH New obfuscated file: lib/common.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.4

16 findings
HIGH New file with network + code execution: tmp/h3.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: tmp/i2.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: tmp/j.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: tmp/j.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: tmp/h2.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: tmp/k.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: tmp/k.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: tmp/k0.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: tmp/k2.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: tmp/l.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: tmp/l.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: tmp/h1.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: tmp/l0.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: tmp/l2.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: tmp/pretty.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.