jade
A clean, whitespace-sensitive template language for writing HTML
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:jade.js | AI (source-diff): jade.js is the browser bundle of the jade template engine. The 'network calls' are a CommonJS require() shim; 'code execution' is new Function() for template compilation — both are core to jade's design. | ai | |
| source-diff | net-exec-file:jade.min.js | AI (source-diff): jade.min.js is the minified browser bundle. Same rationale as jade.js — require() shim and new Function() template compilation are legitimate and expected for this package. | ai | |
| dependencies | unvetted-dep:monocle | AI (dependencies): monocle is a legitimate file-watching utility used by jade's watch mode CLI feature; its use is expected and stable for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): tjholowaychuk's removal is part of the documented handoff to forbeslindesay; not indicative of a hostile takeover. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is explained by addition of browserify-compiled browser bundles (jade.js, runtime.js) as documented in the new build scripts. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from tjholowaychuk to forbeslindesay is a known, legitimate maintainer transition for the jade template engine in 2013. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): The tjholowaychuk → forbeslindesay transition is a well-documented, legitimate handoff of the jade/pug template engine. forbeslindesay is the recognized successor maintainer with a strong track record. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): forbeslindesay is the legitimate successor maintainer of jade/pug; addition is part of a known, documented project transfer. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() is the core mechanism by which Jade compiles templates into executable JS functions — fundamental to all template engines, not a malicious pattern. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in jade's CLI is used to parse user-supplied object literals for template options — standard pattern for a template engine CLI, not a supply-chain risk. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require() in filters.js is a standard plugin-loading pattern for optional filter implementations. | ai |
Versions (showing 51 of 99)
| Version | Deps | Published |
|---|---|---|
| 1.11.0 | 10 / 33 | |
| 1.10.0 | 10 / 33 | |
| 1.9.2 | 7 / 28 | |
| 1.9.1 | 8 / 27 | |
| 1.9.0 | 7 / 27 | |
| 1.8.2 | 7 / 27 | |
| 1.8.1 | 8 / 27 | |
| 1.8.0 | 8 / 27 | |
| 1.7.0 | 8 / 27 | |
| 1.6.0 | 8 / 27 | |
| 1.5.0 | 7 / 27 | |
| 1.4.2 | 7 / 27 | |
| 1.4.1 | 7 / 27 | |
| 1.4.0 | 7 / 27 | |
| 1.3.1 | 7 / 10 | |
| 1.3.0 | 7 / 10 | |
| 1.2.0 | 7 / 10 | |
| 1.1.5 | 7 / 9 | |
| 1.1.4 | 7 / 9 | |
| 1.1.3 | 7 / 9 | |
| 1.1.2 | 7 / 9 | |
| 1.1.1 | 7 / 9 | |
| 1.1.0 | 7 / 9 | |
| 1.0.2 | 7 / 9 | |
| 1.0.1 | 7 / 9 | |
| 1.0.0 | 7 / 10 | |
| 0.35.0 | 7 / 10 | |
| 0.34.1 | 7 / 10 | |
| 0.34.0 | 7 / 10 | |
| 0.33.0 | 7 / 10 | |
| 0.32.0 | 7 / 10 | |
| 0.31.2 | 6 / 10 | |
| 0.31.1 | 6 / 9 | |
| 0.31.0 | 6 / 9 | |
| 0.30.0 | 5 / 8 | |
| 0.29.0 | 5 / 8 | |
| 0.28.2 | 2 / 8 | |
| 0.28.1 | 3 / 7 | |
| 0.28.0 | 3 / 7 | |
| 0.27.7 | 3 / 7 | |
| 0.27.6 | 2 / 7 | |
| 0.27.5 | 2 / 7 | |
| 0.27.4 | 2 / 7 | |
| 0.27.3 | 2 / 7 | |
| 0.27.2 | 2 / 7 | |
| 0.27.1 | 2 / 7 | |
| 0.27.0 | 2 / 7 | |
| 0.26.3 | 2 / 7 | |
| 0.26.2 | 2 / 7 | |
| 0.26.1 | 2 / 7 | |
| 0.26.0 | 2 / 7 |
v1.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2015-05-25. This could indicate a legitimate maintainer transition or an account compromise.
v1.9.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2015-01-13. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2014-12-16. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.1
3 findingsAll previous maintainers (tjholowaychuk) were replaced by new maintainers (forbeslindesay, bloodyowl, jbnicolai). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2014-11-30. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2014-11-28. This could indicate a legitimate maintainer transition or an account compromise.
v1.7.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2014-09-17. This could indicate a legitimate maintainer transition or an account compromise.
v1.6.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2014-08-31. This could indicate a legitimate maintainer transition or an account compromise.
v1.5.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2014-07-23. This could indicate a legitimate maintainer transition or an account compromise.
v1.4.2
2 findingsThis version was published by a different npm account than previous versions on 2014-07-16. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2014-07-16. This could indicate a legitimate maintainer transition or an account compromise.
v1.4.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2014-07-15. This could indicate a legitimate maintainer transition or an account compromise.
v1.3.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2014-04-04. This could indicate a legitimate maintainer transition or an account compromise.
v1.3.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2014-03-02. This could indicate a legitimate maintainer transition or an account compromise.
v1.2.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2014-02-26. This could indicate a legitimate maintainer transition or an account compromise.
v1.1.5
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2014-01-19. This could indicate a legitimate maintainer transition or an account compromise.
v1.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2
2 findingsThis version was published by a different npm account than previous versions on 2014-01-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
2 findingsThis version was published by a different npm account than previous versions on 2014-01-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
3 findingsAll previous maintainers (tjholowaychuk) were replaced by new maintainers (forbeslindesay). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2014-01-07. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
3 findingsAll previous maintainers (tjholowaychuk) were replaced by new maintainers (forbeslindesay). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2013-12-31. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
3 findingsAll previous maintainers (tjholowaychuk) were replaced by new maintainers (forbeslindesay). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2013-12-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2013-12-22. This could indicate a legitimate maintainer transition or an account compromise.
v0.35.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2013-08-21. This could indicate a legitimate maintainer transition or an account compromise.
v0.34.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2013-07-26. This could indicate a legitimate maintainer transition or an account compromise.
v0.34.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2013-07-26. This could indicate a legitimate maintainer transition or an account compromise.
v0.33.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2013-07-12. This could indicate a legitimate maintainer transition or an account compromise.
v0.32.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2013-06-28. This could indicate a legitimate maintainer transition or an account compromise.
v0.31.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2013-06-07. This could indicate a legitimate maintainer transition or an account compromise.
v0.31.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2013-05-31. This could indicate a legitimate maintainer transition or an account compromise.
v0.31.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.29.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.