js-beautify
beautifier.io for node
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:config-chain | AI (phantom-deps): CLI tool dependency legitimately declared; used indirectly through config system. | ai | |
| phantom-deps | phantom-dep:mkdirp | AI (phantom-deps): CLI tool dependency legitimately declared; used indirectly through config system. | ai | |
| phantom-deps | phantom-dep:nopt | AI (phantom-deps): CLI tool dependency legitimately declared; used indirectly through config system. | ai | |
| phantom-deps | phantom-dep:editorconfig | AI (phantom-deps): CLI tool dependency legitimately declared; used indirectly through config system. | ai | |
| source-diff | obfuscated-file:js/lib/beautify-html.js | AI (source-diff): Auto-generated bundled output of js-beautify's HTML beautifier; long lines from concatenation, not obfuscation. | ai | |
| source-diff | obfuscated-file:js/src/core/acorn.js | AI (source-diff): Vendored Acorn parser with Unicode regex tables; long lines are character class data, not obfuscation. | ai | |
| source-diff | obfuscated-file:js/lib/beautify.js | AI (source-diff): Auto-generated bundled output of js-beautify's JS beautifier; long lines from concatenation, not obfuscation. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase from including generated bundles and test files in the package; expected for this project's build. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Project restructured build output in this version; new files are legitimate auto-generated bundles and tests. | ai | |
| source-diff | obfuscated-file:js/lib/beautify-css.js | AI (source-diff): Auto-generated bundled output of js-beautify's CSS beautifier; long lines from concatenation, not obfuscation. | ai | |
| source-diff | obfuscated-file:js/lib/beautifier.js | AI (source-diff): Webpack bundle output of js-beautify's source; standard UMD wrapper with __webpack_require__ bootstrap. Not obfuscated code. | ai | |
| provenance | publisher-changed | AI (provenance): bitwiseman (Liam Newman) is a listed contributor in package.json and has a strong npm track record (106 approved). Legitimate maintainer transition. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() is used intentionally in unpacker modules to deobfuscate packed JS — core functionality of js-beautify's unpacker feature, not a supply-chain risk. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance; publisher is well-established with strong track record. | ai | |
| source-diff | obfuscated-file:js/src/javascript/acorn.js | AI (source-diff): Vendored Acorn parser with Unicode regex tables for identifier matching; long lines are character class data, not obfuscation. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic requires use __dirname-based paths in test/unpacker modules — standard Node.js pattern, not arbitrary module loading. Stable FP for this package. | ai | |
| semgrep | semgrep:obfuscation-packer | AI (semgrep): js-beautify ships unpackers for obfuscated JS; these hits are test strings in the unpacker module, not actual obfuscation. Stable FP for this package. | ai | |
| phantom-deps | phantom-dep:js-cookie | AI (phantom-deps): js-cookie is declared in dependencies; it's used in browser context via bundling. Stable FP for this package. | ai |
Versions (showing 51 of 103)
| Version | Deps | Published |
|---|---|---|
| 1.15.4 | 5 / 13 | |
| 1.15.3 | 5 / 13 | |
| 1.15.2 | 5 / 13 | |
| 1.15.1 | 5 / 13 | |
| 1.15.0 | 5 / 13 | |
| 1.14.11 | 4 / 13 | |
| 1.14.10 | 4 / 13 | |
| 1.14.9 | 4 / 13 | |
| 1.14.8 | 4 / 13 | |
| 1.14.7 | 4 / 13 | |
| 1.14.6 | 4 / 13 | |
| 1.14.5 | 4 / 13 | |
| 1.14.4 | 4 / 13 | |
| 1.14.3 | 4 / 13 | |
| 1.14.2 | 4 / 13 | |
| 1.14.1 | 5 / 13 | |
| 1.14.0 | 4 / 11 | |
| 1.13.13 | 5 / 11 | |
| 1.13.11 | 5 / 11 | |
| 1.13.8 | 5 / 11 | |
| 1.13.7 | 5 / 11 | |
| 1.13.6 | 5 / 11 | |
| 1.13.5 | 5 / 11 | |
| 1.13.4 | 5 / 11 | |
| 1.13.3 | 5 / 11 | |
| 1.13.2 | 5 / 11 | |
| 1.13.1 | 5 / 11 | |
| 1.13.0 | 5 / 11 | |
| 1.12.0 | 5 / 11 | |
| 1.11.0 | 5 / 11 | |
| 1.10.3 | 5 / 10 | |
| 1.10.2 | 5 / 10 | |
| 1.10.1 | 5 / 8 | |
| 1.10.0 | 5 / 8 | |
| 1.9.1 | 5 / 8 | |
| 1.9.0 | 5 / 8 | |
| 1.8.9 | 5 / 8 | |
| 1.8.8 | 4 / 8 | |
| 1.8.7 | 4 / 8 | |
| 1.8.6 | 4 / 8 | |
| 1.8.5 | 4 / 8 | |
| 1.8.4 | 4 / 8 | |
| 1.8.3 | 4 / 8 | |
| 1.8.1 | 4 / 8 | |
| 1.8.0 | 5 / 8 | |
| 1.7.5 | 4 / 6 | |
| 1.7.4 | 4 / 6 | |
| 1.7.3 | 4 / 6 | |
| 1.7.2 | 4 / 6 | |
| 1.7.1 | 4 / 6 | |
| 1.7.0 | 4 / 6 |
v1.15.4
11 findingsJavaScript packer pattern (eval(function(p,a,c,k,e,...))) detected Source: https://github.com/beautifier/js-beautify/blob/1eab9a1c5e360f375cd77cafc3921ec7558fb705/js/lib/unpackers/p_a_c_k_e_r_unpacker.js#L87 85 | var t = sanity_test || new SanityTest(); 86 | > 87 | var pk1 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret 88 | var unpk1 = 'var a=1'; 89 | var pk2 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret
JavaScript packer pattern (eval(function(p,a,c,k,e,...))) detected Source: https://github.com/beautifier/js-beautify/blob/1eab9a1c5e360f375cd77cafc3921ec7558fb705/js/lib/unpackers/p_a_c_k_e_r_unpacker.js#L89 87 | var pk1 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret 88 | var unpk1 = 'var a=1'; > 89 | var pk2 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret 90 | var unpk2 = 'foo b=1'; 91 | var pk_broken = "eval(function(p,a,c,k,e,r){BORKBORK;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(
JavaScript packer pattern (eval(function(p,a,c,k,e,...))) detected Source: https://github.com/beautifier/js-beautify/blob/1eab9a1c5e360f375cd77cafc3921ec7558fb705/js/lib/unpackers/p_a_c_k_e_r_unpacker.js#L91 89 | var pk2 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret 90 | var unpk2 = 'foo b=1'; > 91 | var pk_broken = "eval(function(p,a,c,k,e,r){BORKBORK;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function( 92 | var pk3 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret 93 | var unpk3 = 'var a=1{}))';
JavaScript packer pattern (eval(function(p,a,c,k,e,...))) detected Source: https://github.com/beautifier/js-beautify/blob/1eab9a1c5e360f375cd77cafc3921ec7558fb705/js/lib/unpackers/p_a_c_k_e_r_unpacker.js#L92 90 | var unpk2 = 'foo b=1'; 91 | var pk_broken = "eval(function(p,a,c,k,e,r){BORKBORK;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function( > 92 | var pk3 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret 93 | var unpk3 = 'var a=1{}))'; 94 |
JavaScript packer pattern (eval(function(p,a,c,k,e,...))) detected Source: https://github.com/beautifier/js-beautify/blob/1eab9a1c5e360f375cd77cafc3921ec7558fb705/js/lib/unpackers/p_a_c_k_e_r_unpacker.js#L104 102 | t.expect(pk3, unpk3); 103 | t.expect("function test (){alert ('This is a test!')}; " + > 104 | "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String))" + 105 | "{while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function" + 106 | "(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp(" +
JavaScript packer pattern (eval(function(p,a,c,k,e,...))) detected Source: https://github.com/beautifier/js-beautify/blob/1eab9a1c5e360f375cd77cafc3921ec7558fb705/js/src/unpackers/p_a_c_k_e_r_unpacker.js#L87 85 | var t = sanity_test || new SanityTest(); 86 | > 87 | var pk1 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret 88 | var unpk1 = 'var a=1'; 89 | var pk2 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret
JavaScript packer pattern (eval(function(p,a,c,k,e,...))) detected Source: https://github.com/beautifier/js-beautify/blob/1eab9a1c5e360f375cd77cafc3921ec7558fb705/js/src/unpackers/p_a_c_k_e_r_unpacker.js#L89 87 | var pk1 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret 88 | var unpk1 = 'var a=1'; > 89 | var pk2 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret 90 | var unpk2 = 'foo b=1'; 91 | var pk_broken = "eval(function(p,a,c,k,e,r){BORKBORK;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(
JavaScript packer pattern (eval(function(p,a,c,k,e,...))) detected Source: https://github.com/beautifier/js-beautify/blob/1eab9a1c5e360f375cd77cafc3921ec7558fb705/js/src/unpackers/p_a_c_k_e_r_unpacker.js#L91 89 | var pk2 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret 90 | var unpk2 = 'foo b=1'; > 91 | var pk_broken = "eval(function(p,a,c,k,e,r){BORKBORK;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function( 92 | var pk3 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret 93 | var unpk3 = 'var a=1{}))';
JavaScript packer pattern (eval(function(p,a,c,k,e,...))) detected Source: https://github.com/beautifier/js-beautify/blob/1eab9a1c5e360f375cd77cafc3921ec7558fb705/js/src/unpackers/p_a_c_k_e_r_unpacker.js#L92 90 | var unpk2 = 'foo b=1'; 91 | var pk_broken = "eval(function(p,a,c,k,e,r){BORKBORK;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function( > 92 | var pk3 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret 93 | var unpk3 = 'var a=1{}))'; 94 |
JavaScript packer pattern (eval(function(p,a,c,k,e,...))) detected Source: https://github.com/beautifier/js-beautify/blob/1eab9a1c5e360f375cd77cafc3921ec7558fb705/js/src/unpackers/p_a_c_k_e_r_unpacker.js#L104 102 | t.expect(pk3, unpk3); 103 | t.expect("function test (){alert ('This is a test!')}; " + > 104 | "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String))" + 105 | "{while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function" + 106 | "(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp(" +
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.2
2 findingsThis version was published by a different npm account than previous versions on 2017-09-18. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.1
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-09-18. This could indicate a legitimate maintainer transition or an account compromise.
v1.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.