grunt-complexity
Evaluates code maintainability using Halstead and Cyclomatic metrics.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:test/grunt.0.3/node_modules/nodeunit/examples/browser/nodeunit.js | AI (source-diff): This is the well-known nodeunit browser bundle containing the public-domain json2.js polyfill. It is a vendored test dependency, not runtime code, and poses no malware risk. | ai | |
| source-diff | net-exec-file:test/grunt.0.3/node_modules/nodeunit/deps/json2.js | AI (source-diff): This is the public-domain json2.js JSON polyfill vendored under test dependencies. The 'network calls' are documentation URLs, not actual network activity. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Size increase is due to bundling full node_modules trees for integration testing (grunt.0.3 and grunt.0.4 test fixtures). Legitimate test infrastructure, not injected payloads. | ai | |
| source-diff | source-size-tripled | AI (source-diff): 12x size increase is entirely explained by vendored test node_modules (nodeunit, iconv-lite, js-yaml, jquery, etc.). No runtime payload injection. | ai | |
| source-diff | net-exec-file:test/grunt.0.4/node_modules/findup-sync/node_modules/lodash/vendor/benchmark.js/benchmark.js | AI (source-diff): Legitimate Benchmark.js 1.0.0 vendored in test fixtures; Rhino timer shim triggers rule but is not malware. | ai | |
| source-diff | net-exec-file:test/grunt.0.4/node_modules/findup-sync/node_modules/lodash/lodash.js | AI (source-diff): Legitimate Lo-Dash 1.0.1 vendored in test fixtures; UMD boilerplate triggers rule but is not malware. | ai | |
| phantom-deps | phantom-dep:grunt | AI (phantom-deps): grunt is a peer dependency for a grunt plugin; not directly imported by design — stable false positive for this package. | ai | |
| source-diff | net-exec-file:test/grunt.0.4/node_modules/findup-sync/node_modules/lodash/vendor/qunit-clib/qunit-clib.js | AI (source-diff): Legitimate QUnit CLI Boilerplate vendored in test fixtures; Rhino eval shim triggers rule but is not malware. | ai | |
| source-diff | net-exec-file:test/grunt.0.4/node_modules/findup-sync/node_modules/lodash/dist/lodash.compat.js | AI (source-diff): Legitimate Lo-Dash 1.0.1 build variant vendored in test fixtures; standard UMD pattern, not malware. | ai | |
| source-diff | net-exec-file:test/grunt.0.4/node_modules/findup-sync/node_modules/lodash/dist/lodash.js | AI (source-diff): Legitimate Lo-Dash 1.0.1 modern build vendored in test fixtures; standard UMD pattern, not malware. | ai | |
| source-diff | net-exec-file:test/grunt.0.4/node_modules/findup-sync/node_modules/lodash/dist/lodash.underscore.js | AI (source-diff): Legitimate Lo-Dash 1.0.1 underscore build vendored in test fixtures; standard UMD pattern, not malware. | ai |
Versions (showing 23 of 23)
| Version | Deps | Published |
|---|---|---|
| 1.1.0 | 4 / 7 | |
| 1.0.1 | 4 / 7 | |
| 1.0.0 | 4 / 7 | |
| 0.4.0 | 3 / 7 | |
| 0.3.1 | 3 / 7 | |
| 0.3.0 | 3 / 7 | |
| 0.2.0 | 3 / 7 | |
| 0.1.71 | 3 / 6 | |
| 0.1.51 | 2 / 6 | |
| 0.1.7 | 3 / 6 | |
| 0.1.6 | 3 / 6 | |
| 0.1.5 | 2 / 6 | |
| 0.1.4 | 2 / 5 | |
| 0.1.3 | 2 / 5 | |
| 0.1.2 | 2 / 5 | |
| 0.1.0 | 2 / 1 | |
| 0.0.7 | 2 / 1 | |
| 0.0.6 | 2 / 1 | |
| 0.0.5 | 2 / 1 | |
| 0.0.4 | 2 / 1 | |
| 0.0.3 | 2 / 1 | |
| 0.0.2 | 2 / 0 | |
| 0.0.1 | 2 / 0 |
v1.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.71
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.51
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
7 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.7
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.