js-beautify
beautifier.io for node
3
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
evocateurbitwiseman
Keywords
beautifybeautifiercode-quality
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:config-chain | AI (phantom-deps): CLI tool dependency legitimately declared; used indirectly through config system. | ai | |
| phantom-deps | phantom-dep:mkdirp | AI (phantom-deps): CLI tool dependency legitimately declared; used indirectly through config system. | ai | |
| phantom-deps | phantom-dep:nopt | AI (phantom-deps): CLI tool dependency legitimately declared; used indirectly through config system. | ai | |
| phantom-deps | phantom-dep:editorconfig | AI (phantom-deps): CLI tool dependency legitimately declared; used indirectly through config system. | ai | |
| source-diff | obfuscated-file:js/lib/beautify-html.js | AI (source-diff): Auto-generated bundled output of js-beautify's HTML beautifier; long lines from concatenation, not obfuscation. | ai | |
| source-diff | obfuscated-file:js/src/core/acorn.js | AI (source-diff): Vendored Acorn parser with Unicode regex tables; long lines are character class data, not obfuscation. | ai | |
| source-diff | obfuscated-file:js/lib/beautify.js | AI (source-diff): Auto-generated bundled output of js-beautify's JS beautifier; long lines from concatenation, not obfuscation. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase from including generated bundles and test files in the package; expected for this project's build. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Project restructured build output in this version; new files are legitimate auto-generated bundles and tests. | ai | |
| source-diff | obfuscated-file:js/lib/beautify-css.js | AI (source-diff): Auto-generated bundled output of js-beautify's CSS beautifier; long lines from concatenation, not obfuscation. | ai | |
| source-diff | obfuscated-file:js/lib/beautifier.js | AI (source-diff): Webpack bundle output of js-beautify's source; standard UMD wrapper with __webpack_require__ bootstrap. Not obfuscated code. | ai | |
| provenance | publisher-changed | AI (provenance): bitwiseman (Liam Newman) is a listed contributor in package.json and has a strong npm track record (106 approved). Legitimate maintainer transition. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() is used intentionally in unpacker modules to deobfuscate packed JS — core functionality of js-beautify's unpacker feature, not a supply-chain risk. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance; publisher is well-established with strong track record. | ai | |
| source-diff | obfuscated-file:js/src/javascript/acorn.js | AI (source-diff): Vendored Acorn parser with Unicode regex tables for identifier matching; long lines are character class data, not obfuscation. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic requires use __dirname-based paths in test/unpacker modules — standard Node.js pattern, not arbitrary module loading. Stable FP for this package. | ai | |
| semgrep | semgrep:obfuscation-packer | AI (semgrep): js-beautify ships unpackers for obfuscated JS; these hits are test strings in the unpacker module, not actual obfuscation. Stable FP for this package. | ai | |
| phantom-deps | phantom-dep:js-cookie | AI (phantom-deps): js-cookie is declared in dependencies; it's used in browser context via bundling. Stable FP for this package. | ai |
v0.2.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.8
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.