jsdoc-75lb
An API documentation generator for JavaScript.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:async | AI (phantom-deps): async is a legitimate declared dependency used transitively/indirectly; phantom detection is a false positive for this package. | ai | |
| npm-metadata | url-dep:taffydb | AI (npm-metadata): taffydb URL dep points to a specific pinned commit SHA on the hegemonic fork, which is the documented jsdoc dependency. Pinned commit cannot be silently swapped; stable for this package. | ai | |
| semgrep | semgrep:etc-passwd-access | AI (semgrep): The /etc/passwd reference in node_modules-3.4.0/debug/node.js:180 is a code comment describing a test command, not actual credential harvesting code. | ai | |
| semgrep | semgrep:obfuscation-packer | AI (semgrep): Triggered in js-beautify's p_a_c_k_e_r_unpacker.js which contains packer patterns as test strings for its unpacking functionality — this is the expected content of a packer-detection utility. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Triggered in bundled Bluebird browser build — new Function() is used for legitimate internal optimization in this well-known Promise library. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): Triggered in bundled Bluebird browser build — eval() usage is part of Bluebird's legitimate internal code, not malicious. | ai | |
| source-diff | net-exec-file:node_modules-3.4.0/bluebird/js/browser/bluebird.js | AI (source-diff): This is the browser build of the well-known Bluebird Promise library bundled as a node_modules snapshot. The network+eval patterns are Bluebird's legitimate internal optimization code, not malware. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Triggered in bundled eslint and shelljs within node_modules-3.4.0/ snapshot — these are legitimate tools that use child_process as part of their documented functionality. | ai | |
| semgrep | semgrep:child-process-exec | AI (semgrep): Triggered in bundled shelljs within node_modules-3.4.0/ snapshot — shelljs is a legitimate shell utility library that uses child_process.exec by design. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large files are all well-known third-party libraries (handlebars, lodash, jquery, rx-lite) bundled as a node_modules-3.4.0/ archival snapshot, not injected malware. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is entirely explained by the bundled node_modules-3.4.0/ snapshot of third-party libraries included for reference purposes. | ai | |
| dependencies | unvetted-dep:taffydb-75lb | AI (dependencies): taffydb-75lb is the 75lb publisher's own maintained fork of taffydb, consistent with this package being jsdoc-75lb (their fork of jsdoc). Same trusted publisher. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in cli.js is used for test runner path resolution — standard JSDoc test infrastructure pattern, not a security risk for this package. | ai | |
| phantom-deps | phantom-dep:klaw | AI (phantom-deps): klaw is a legitimate file-walking dependency for a documentation generator; phantom detection is a false positive here. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): klaw, mkdirp, taffydb are all well-established packages legitimately used by a JSDoc documentation generator. No malicious signal. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 3.6.0 | 12 / 5 | |
| 3.5.6 | 12 / 5 | |
| 3.5.5 | 12 / 5 | |
| 3.5.4 | 12 / 5 | |
| 3.5.2 | 12 / 5 | |
| 3.5.1 | 12 / 5 | |
| 3.5.0 | 12 / 5 | |
| 3.4.1 | 12 / 5 |
v3.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.6
7 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/jsdoc2md/jsdoc/blob/52cbee036fb184486fb60f1c1ca6580b5b38ae30/node_modules-3.4.0/debug/node.js#L180 178 | // stream from an existing fd which is writable only. But for now 179 | // we'll just add this hack and set the `readable` member to false. > 180 | // Test: ./node test/fixtures/echo.js < /etc/passwd 181 | stream.readable = false; 182 | stream.read = null;
JavaScript packer pattern (eval(function(p,a,c,k,e,...))) detected Source: https://github.com/jsdoc2md/jsdoc/blob/52cbee036fb184486fb60f1c1ca6580b5b38ae30/node_modules-3.4.0/js-beautify/js/lib/unpackers/p_a_c_k_e_r_unpacker.js#L56 54 | var t = sanity_test || new SanityTest(), 55 | > 56 | pk1 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret 57 | unpk1 = 'var a=1', 58 | pk2 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret
JavaScript packer pattern (eval(function(p,a,c,k,e,...))) detected Source: https://github.com/jsdoc2md/jsdoc/blob/52cbee036fb184486fb60f1c1ca6580b5b38ae30/node_modules-3.4.0/js-beautify/js/lib/unpackers/p_a_c_k_e_r_unpacker.js#L58 56 | pk1 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret 57 | unpk1 = 'var a=1', > 58 | pk2 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret 59 | unpk2 = 'foo b=1', 60 | pk_broken = "eval(function(p,a,c,k,e,r){BORKBORK;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function
JavaScript packer pattern (eval(function(p,a,c,k,e,...))) detected Source: https://github.com/jsdoc2md/jsdoc/blob/52cbee036fb184486fb60f1c1ca6580b5b38ae30/node_modules-3.4.0/js-beautify/js/lib/unpackers/p_a_c_k_e_r_unpacker.js#L60 58 | pk2 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret 59 | unpk2 = 'foo b=1', > 60 | pk_broken = "eval(function(p,a,c,k,e,r){BORKBORK;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function 61 | pk3 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret 62 | unpk3 = 'var a=1{}))',
JavaScript packer pattern (eval(function(p,a,c,k,e,...))) detected Source: https://github.com/jsdoc2md/jsdoc/blob/52cbee036fb184486fb60f1c1ca6580b5b38ae30/node_modules-3.4.0/js-beautify/js/lib/unpackers/p_a_c_k_e_r_unpacker.js#L61 59 | unpk2 = 'foo b=1', 60 | pk_broken = "eval(function(p,a,c,k,e,r){BORKBORK;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function > 61 | pk3 = "eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){ret 62 | unpk3 = 'var a=1{}))', 63 |
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.