js2coffee
JavaScript to CoffeeScript compiler
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): rstacruz is the original author listed in package.json; the 2015 transition from timaschew to rstacruz is a legitimate maintainer reclaim, not a hostile takeover. | ai | |
| source-diff | obfuscated-file:dist/js2coffee.js | AI (source-diff): dist/js2coffee.js is a standard browserify bundle generated by the prepublish script. Content is minified JS compiler code, not malicious obfuscation. | ai | |
| dependencies | unvetted-dep:esprima-fb | AI (dependencies): esprima-fb is a well-known Facebook fork of esprima with an unconventional version scheme; it has been a stable dependency of js2coffee for years with no malicious indicators. | ai | |
| phantom-deps | phantom-dep:read-input | AI (phantom-deps): Consumed via build/bundle step, not direct import. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:escodegen | AI (phantom-deps): js2coffee uses a build/bundle step; deps are consumed by compiled output rather than direct require() calls. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:source-map | AI (phantom-deps): Consumed via build/bundle step, not direct import. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:esprima-fb | AI (phantom-deps): Same build-step pattern; esprima-fb is a legitimate AST parser fork used in the compiled output. | ai | |
| phantom-deps | phantom-dep:estraverse | AI (phantom-deps): Consumed via build/bundle step, not direct import. Stable false positive for this package. | ai |
Versions (showing 29 of 29)
| Version | Deps | Published |
|---|---|---|
| 2.2.0 | 6 / 11 | |
| 2.1.0 | 6 / 11 | |
| 2.0.4 | 6 / 11 | |
| 2.0.3 | 6 / 11 | |
| 2.0.1 | 6 / 11 | |
| 2.0.0 | 6 / 11 | |
| 0.3.5 | 4 / 12 | |
| 0.3.4 | 5 / 11 | |
| 0.3.3 | 4 / 12 | |
| 0.3.2 | 4 / 12 | |
| 0.3.1 | 4 / 12 | |
| 0.3.0 | 6 / 10 | |
| 0.2.7 | 4 / 10 | |
| 0.2.6 | 4 / 10 | |
| 0.2.5 | 4 / 10 | |
| 0.2.4 | 4 / 10 | |
| 0.2.3 | 4 / 8 | |
| 0.2.1 | 3 / 8 | |
| 0.2.0 | 3 / 7 | |
| 0.1.4 | 3 / 7 | |
| 0.1.3 | 2 / 1 | |
| 0.1.2 | 2 / 1 | |
| 0.1.1 | 2 / 0 | |
| 0.1.0 | 2 / 0 | |
| 0.0.5 | 2 / 0 | |
| 0.0.4 | 2 / 0 | |
| 0.0.3 | 2 / 0 | |
| 0.0.2 | 2 / 0 | |
| 0.0.1 | 2 / 0 |
v2.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
3 findingsThis version was published by a different npm account than previous versions on 2015-01-31. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.