hermes-parser
A JavaScript parser built from the Hermes engine
51
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
fbflowtypehermes-team
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:hermes-estree | AI (dependencies): hermes-estree is a sibling package from the same Facebook/Meta Hermes ecosystem, co-versioned and published by the same hermes-team publisher. Not a suspicious third-party dependency. | ai | |
| provenance | publisher-changed | AI (provenance): flowtype→hermes-team is a documented Meta organizational transition for Hermes ecosystem packages; not a suspicious takeover. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): hermes-team is Meta's official npm account for Hermes packages; maintainer addition is a legitimate organizational consolidation. | ai | |
| source-diff | obfuscated-file:dist/HermesParserWASM.js | AI (source-diff): This is standard Emscripten-compiled WASM output for the Hermes parser engine; long lines are inherent to WASM JS wrappers, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/HermesParserNodeDeserializers.js | AI (source-diff): File is @generated with Meta copyright header; long lines are from generated AST deserializer code, not obfuscation. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): hermes-estree is the companion Meta package versioned identically; adding it is expected ecosystem evolution, not an attack vector. | ai | |
| phantom-deps | phantom-dep:hermes-estree | AI (phantom-deps): hermes-estree is a legitimate companion package; indirect/re-exported usage explains why it's not directly imported. | ai | |
| provenance | no-provenance | AI (provenance): hermes-parser is published by Meta's Hermes team; lack of Sigstore provenance is common and not a risk indicator for this well-known package. | ai |
Versions (showing 51 of 63)
| Version | Deps | Published |
|---|---|---|
| 0.36.1 | 1 / 4 | |
| 0.36.0 | 1 / 4 | |
| 0.35.0 | 1 / 4 | |
| 0.34.0 | 1 / 4 | |
| 0.33.3 | 1 / 4 | |
| 0.33.2 | 1 / 4 | |
| 0.33.1 | 1 / 4 | |
| 0.33.0 | 1 / 4 | |
| 0.32.1 | 1 / 4 | |
| 0.32.0 | 1 / 4 | |
| 0.31.2 | 1 / 4 | |
| 0.31.0 | 1 / 4 | |
| 0.30.0 | 1 / 4 | |
| 0.29.1 | 1 / 4 | |
| 0.29.0 | 1 / 4 | |
| 0.28.1 | 1 / 4 | |
| 0.28.0 | 1 / 4 | |
| 0.27.0 | 1 / 4 | |
| 0.26.0 | 1 / 4 | |
| 0.25.1 | 1 / 4 | |
| 0.25.0 | 1 / 4 | |
| 0.24.0 | 1 / 4 | |
| 0.23.1 | 1 / 4 | |
| 0.23.0 | 1 / 4 | |
| 0.22.0 | 1 / 4 | |
| 0.21.1 | 1 / 4 | |
| 0.21.0 | 1 / 4 | |
| 0.20.1 | 1 / 4 | |
| 0.20.0 | 1 / 4 | |
| 0.19.2 | 1 / 4 | |
| 0.19.1 | 1 / 4 | |
| 0.19.0 | 1 / 4 | |
| 0.18.2 | 1 / 4 | |
| 0.18.1 | 1 / 4 | |
| 0.18.0 | 1 / 4 | |
| 0.17.1 | 1 / 4 | |
| 0.17.0 | 1 / 4 | |
| 0.16.0 | 1 / 4 | |
| 0.15.1 | 1 / 4 | |
| 0.15.0 | 1 / 4 | |
| 0.14.0 | 1 / 4 | |
| 0.13.1 | 1 / 4 | |
| 0.13.0 | 1 / 4 | |
| 0.12.1 | 1 / 3 | |
| 0.12.0 | 1 / 3 | |
| 0.11.1 | 1 / 3 | |
| 0.11.0 | 1 / 3 | |
| 0.10.1 | 1 / 2 | |
| 0.10.0 | 1 / 2 | |
| 0.9.0 | 1 / 3 | |
| 0.8.0 | 1 / 3 |
v0.36.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.36.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.