jsdoc
An API documentation generator for JavaScript.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Lack of Sigstore provenance is a best-practice gap, not a security defect; jsdoc's long history and ecosystem trust mitigate this. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): hegemonic is the known long-term jsdoc maintainer; removal of kzh is routine housekeeping, not a takeover signal. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() loads local Jake/lib/mustache.js for build-time template rendering in Jakefile.js; standard pattern for 2013-era build tools. | ai | |
| source-diff | net-exec-file:Jakefile.js | AI (source-diff): Jakefile.js is a build task using eval on a local Mustache file, not a dropper. No actual network calls present. False positive. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): hegemonic (Jeff Williams) is a long-standing core jsdoc maintainer with 104 approved packages and 4900+ day history. | ai | |
| npm-metadata | url-dep:taffydb | AI (npm-metadata): Points to hegemonic's own fork on GitHub; common practice for 2013-era npm packages. Maintainer-owned repo. | ai | |
| npm-metadata | url-dep:crypto-browserify | AI (npm-metadata): Points to dominictarr/crypto-browserify with pinned commit hash; well-known package, common 2013-era practice. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @jsdoc/salty is a first-party replacement for taffydb under the same jsdoc GitHub org; the dependency swap is intentional and low-risk. | ai | |
| phantom-deps | phantom-dep:@types/markdown-it | AI (phantom-deps): Type definitions are correctly declared; loaded by convention for markdown-it support. | ai | |
| phantom-deps | phantom-dep:klaw | AI (phantom-deps): klaw is legitimately declared and used for filesystem traversal; false positive. | ai | |
| dependencies | unvetted-dep:markdown-it | AI (dependencies): markdown-it is a well-known, widely-used Markdown parser; its use in jsdoc for rendering documentation comments is expected and legitimate. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): jsdoc intentionally loads user-specified config files via dynamic require in its CLI. This is documented behavior, not a security risk — the path is user-controlled by design. | ai |
Versions (showing 30 of 30)
| Version | Deps | Published |
|---|---|---|
| 4.0.5 | 15 / 5 | |
| 4.0.4 | 15 / 5 | |
| 4.0.3 | 15 / 5 | |
| 4.0.2 | 15 / 5 | |
| 4.0.1 | 15 / 5 | |
| 4.0.0 | 15 / 5 | |
| 3.6.11 | 15 / 5 | |
| 3.6.10 | 15 / 5 | |
| 3.6.7 | 14 / 5 | |
| 3.6.6 | 14 / 5 | |
| 3.6.5 | 14 / 5 | |
| 3.6.4 | 14 / 5 | |
| 3.6.3 | 14 / 5 | |
| 3.6.2 | 14 / 5 | |
| 3.6.1 | 14 / 5 | |
| 3.6.0 | 14 / 5 | |
| 3.5.5 | 12 / 5 | |
| 3.5.4 | 12 / 5 | |
| 3.5.3 | 12 / 5 | |
| 3.5.2 | 12 / 5 | |
| 3.5.1 | 12 / 5 | |
| 3.5.0 | 12 / 5 | |
| 3.4.3 | 12 / 5 | |
| 3.4.2 | 12 / 5 | |
| 3.3.3 | 11 / 6 | |
| 3.3.2 | 11 / 6 | |
| 3.3.1 | 11 / 6 | |
| 3.3.0 | 11 / 6 | |
| 3.2.2 | 9 / 0 | |
| 0.0.0 | 0 / 0 |
v4.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.2
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.