guess-parser
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | suspicious-initial-version | AI (npm-metadata): 0.0.0 is a monorepo placeholder version pattern used by guess-js/guess; package is 2910 days old with 47 versions and a trusted publisher (mgechev). | ai | |
| phantom-deps | phantom-dep:@angular/compiler | AI (phantom-deps): @angular/compiler is a framework peer dependency loaded by convention; phantom-dep finding is a stable false positive for this Angular tooling package. | ai | |
| source-diff | obfuscated-file:dist/guess-parser/index.js | AI (source-diff): dist/guess-parser/index.js is a standard webpack UMD bundle (package.json build script is 'webpack'). Minified bundle output is expected and stable for this package. | ai | |
| dependencies | unvetted-dep:ngast | AI (dependencies): ngast is a well-known Angular AST utility library; a natural and expected dependency for an Angular route parser. | ai | |
| phantom-deps | phantom-dep:@angular/compiler-cli | AI (phantom-deps): Angular compiler-cli is a peer dependency used by convention in Angular static analysis tools; phantom-dep is a false positive here. | ai | |
| phantom-deps | phantom-dep:@angular/core | AI (phantom-deps): Angular framework package loaded by convention in Angular ecosystem tools; not a direct import but a required peer. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() calls are webpack devtool:eval bundle artifacts (wrapping module exports), not dynamic code execution. Consistent pattern across all 14 instances in this Angular route parser. | ai | |
| phantom-deps | phantom-dep:rxjs | AI (phantom-deps): rxjs is an Angular 5 peer dependency loaded by convention; phantom-dep finding is a false positive for Angular ecosystem packages. | ai | |
| phantom-deps | phantom-dep:zone.js | AI (phantom-deps): zone.js is an Angular 5 peer dependency loaded by convention; phantom-dep finding is a false positive for Angular ecosystem packages. | ai | |
| provenance | no-provenance | AI (provenance): Established package from known author; lack of provenance is common and not a meaningful risk signal for this package. | ai |
Versions (showing 47 of 47)
| Version | Deps | Published |
|---|---|---|
| 0.4.22 | 1 / 1 | |
| 0.4.21 | 1 / 1 | |
| 0.4.20 | 1 / 1 | |
| 0.4.19 | 1 / 1 | |
| 0.4.18 | 1 / 1 | |
| 0.4.17 | 1 / 1 | |
| 0.4.16 | 1 / 1 | |
| 0.4.15 | 1 / 1 | |
| 0.4.14 | 1 / 1 | |
| 0.4.13 | 1 / 1 | |
| 0.4.12 | 1 / 1 | |
| 0.4.11 | 1 / 1 | |
| 0.4.10 | 1 / 1 | |
| 0.4.9 | 1 / 1 | |
| 0.4.8 | 1 / 1 | |
| 0.4.7 | 1 / 1 | |
| 0.4.6 | 1 / 1 | |
| 0.4.5 | 1 / 1 | |
| 0.4.4 | 1 / 1 | |
| 0.4.3 | 1 / 1 | |
| 0.4.2 | 1 / 1 | |
| 0.4.1 | 1 / 1 | |
| 0.4.0 | 1 / 1 | |
| 0.3.13 | 1 / 1 | |
| 0.3.12 | 1 / 1 | |
| 0.3.11 | 1 / 1 | |
| 0.3.10 | 1 / 1 | |
| 0.3.9 | 1 / 1 | |
| 0.3.8 | 1 / 1 | |
| 0.3.7 | 1 / 1 | |
| 0.3.6 | 1 / 1 | |
| 0.3.5 | 1 / 1 | |
| 0.3.4 | 1 / 1 | |
| 0.3.2 | 1 / 1 | |
| 0.3.1 | 1 / 1 | |
| 0.3.0 | 1 / 1 | |
| 0.2.0 | 1 / 1 | |
| 0.1.7 | 6 / 2 | |
| 0.1.6 | 6 / 2 | |
| 0.1.5 | 6 / 2 | |
| 0.1.4 | 6 / 2 | |
| 0.1.1 | 6 / 2 | |
| 0.1.0 | 7 / 2 | |
| 0.0.3 | 7 / 2 | |
| 0.0.2 | 7 / 2 | |
| 0.0.1 | 7 / 2 | |
| 0.0.0 | 7 / 0 |
v0.4.22
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.5
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.