iso-639-1
ISO-639-1 codes
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/index.js | AI (source-diff): The dist/index.js is a standard Webpack bundle (webpackBootstrap boilerplate visible in sample) for a browser build of the ISO 639-1 library. Not malware. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is explained by addition of a Webpack browser bundle (dist/index.js) and its source map — legitimate build artifact, not injected payload. | ai | |
| phantom-deps | phantom-dep:babel-polyfill | AI (phantom-deps): babel-polyfill is a side-effect polyfill dependency; not typically imported via require() in source files. Stable false positive for this package. | ai |
Versions (showing 43 of 43)
| Version | Deps | Published |
|---|---|---|
| 3.1.5 | 0 / 5 | |
| 3.1.4 | 0 / 5 | |
| 3.1.3 | 0 / 5 | |
| 3.1.2 | 0 / 5 | |
| 3.1.1 | 0 / 5 | |
| 3.1.0 | 0 / 5 | |
| 3.0.1 | 0 / 5 | |
| 3.0.0 | 0 / 5 | |
| 2.1.15 | 0 / 10 | |
| 2.1.14 | 0 / 10 | |
| 2.1.13 | 0 / 10 | |
| 2.1.12 | 0 / 10 | |
| 2.1.11 | 0 / 10 | |
| 2.1.10 | 0 / 10 | |
| 2.1.9 | 0 / 10 | |
| 2.1.8 | 0 / 10 | |
| 2.1.7 | 0 / 10 | |
| 2.1.6 | 0 / 10 | |
| 2.1.5 | 0 / 10 | |
| 2.1.4 | 0 / 10 | |
| 2.1.3 | 0 / 10 | |
| 2.1.2 | 0 / 10 | |
| 2.1.1 | 0 / 10 | |
| 2.1.0 | 0 / 10 | |
| 2.0.5 | 0 / 10 | |
| 2.0.3 | 0 / 10 | |
| 2.0.2 | 0 / 10 | |
| 2.0.1 | 0 / 7 | |
| 2.0.0 | 2 / 8 | |
| 1.3.2 | 2 / 8 | |
| 1.3.1 | 2 / 8 | |
| 1.3.0 | 2 / 8 | |
| 1.2.5 | 2 / 8 | |
| 1.2.4 | 1 / 9 | |
| 1.2.3 | 1 / 8 | |
| 1.2.2 | 0 / 9 | |
| 1.2.1 | 0 / 2 | |
| 1.1.0 | 0 / 2 | |
| 1.0.1 | 0 / 2 | |
| 1.0.0 | 0 / 2 | |
| 0.1.2 | 0 / 1 | |
| 0.1.1 | 0 / 1 | |
| 0.1.0 | 0 / 1 |
v3.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.