json-diff
JSON diff
31
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
andreyvitewoudenberg
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): ewoudenberg is the documented successor maintainer for json-diff; transition from andreyvit is a known legitimate handoff with clean track record. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): ewoudenberg addition is a legitimate maintainer transition; publisher has 10 approved packages and 0 rejections. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is due to compiled CoffeeScript output being included in the published package, consistent with the prepare script and this package's build pattern. | ai | |
| phantom-deps | phantom-dep:jscoverage | AI (phantom-deps): jscoverage is referenced only in the 'cov' npm script for developer coverage reporting, not imported at runtime. Misclassified as runtime dep but poses no security risk. | ai | |
| dependencies | unvetted-dep:jscoverage | AI (dependencies): jscoverage is a coverage tool used only in dev scripts; its presence as a runtime dep is a packaging oversight, not a security concern for this package. | ai | |
| dependencies | unvetted-dep:difflib | AI (dependencies): difflib is a legitimate sequence-matching library appropriate for a JSON diff tool; stable dependency for this package. | ai | |
| phantom-deps | phantom-dep:difflib | AI (phantom-deps): difflib is a legitimate runtime dependency used in the CLI/lib output of this CoffeeScript-based package; phantom detection is a false positive for this build pattern. | ai | |
| phantom-deps | phantom-dep:dreamopt | AI (phantom-deps): dreamopt is a legitimate CLI option parsing dependency used in the bin script; phantom detection is a false positive for this build pattern. | ai | |
| phantom-deps | phantom-dep:cli-color | AI (phantom-deps): cli-color is a legitimate runtime dependency for terminal coloring in this diff tool; phantom detection is a false positive for this build pattern. | ai | |
| provenance | no-provenance | AI (provenance): Established 14-year-old package with 31 versions; lack of Sigstore provenance is expected for packages predating the feature and is not a risk signal here. | ai | |
| dependencies | unvetted-dep:@ewoudenberg/difflib | AI (dependencies): Maintained by Eric Woudenberg, a listed contributor to json-diff; a purpose-built difflib port that is a core dependency of this package. | ai | |
| dependencies | unvetted-dep:dreamopt | AI (dependencies): dreamopt is a legitimate CLI option parser dependency used by json-diff's CLI binary; stable dependency across versions. | ai |
Versions (showing 31 of 31)
| Version | Deps | Published |
|---|---|---|
| 1.0.6 | 3 / 5 | |
| 1.0.5 | 3 / 5 | |
| 1.0.4 | 3 / 5 | |
| 1.0.3 | 3 / 5 | |
| 1.0.2 | 3 / 5 | |
| 1.0.1 | 3 / 5 | |
| 1.0.0 | 3 / 5 | |
| 0.10.0 | 3 / 5 | |
| 0.9.1 | 3 / 5 | |
| 0.9.0 | 3 / 5 | |
| 0.8.0 | 3 / 5 | |
| 0.7.4 | 3 / 5 | |
| 0.7.3 | 3 / 5 | |
| 0.7.2 | 3 / 5 | |
| 0.7.1 | 3 / 5 | |
| 0.7.0 | 3 / 5 | |
| 0.6.3 | 4 / 4 | |
| 0.6.2 | 4 / 4 | |
| 0.6.1 | 4 / 4 | |
| 0.6.0 | 4 / 4 | |
| 0.5.5 | 3 / 2 | |
| 0.5.4 | 3 / 2 | |
| 0.5.3 | 3 / 2 | |
| 0.5.2 | 3 / 2 | |
| 0.5.1 | 3 / 3 | |
| 0.5.0 | 3 / 3 | |
| 0.3.1 | 3 / 1 | |
| 0.3.0 | 3 / 1 | |
| 0.2.1 | 3 / 1 | |
| 0.2.0 | 3 / 1 | |
| 0.0.1 | 3 / 1 |