json-joy
Collection of libraries for building collaborative editing apps.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | url-dep:editing-traces | AI (npm-metadata): devDependency pointing to author's own repo for test traces; SHA-pinned, not shipped to consumers. | ai | |
| npm-metadata | url-dep:json-crdt-traces | AI (npm-metadata): devDependency pointing to author's own repo for test traces; SHA-pinned, not shipped to consumers. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process usage is in CLI test harness files (json-pack-test.js, etc.) that spawn the CLI binary for integration testing. Legitimate and expected for a CLI tool package. | ai | |
| phantom-deps | phantom-dep:nano-css | AI (phantom-deps): nano-css is a declared runtime dependency used in specific sub-modules of this large library; phantom-dep false positive for monorepo-style packages. | ai | |
| phantom-deps | phantom-dep:hyperdyperid | AI (phantom-deps): hyperdyperid is a declared runtime dependency; phantom-dep false positive for this large multi-module package. | ai | |
| phantom-deps | phantom-dep:@jsonjoy.com/json-type | AI (phantom-deps): @jsonjoy.com/json-type is a declared runtime dependency from the same author's ecosystem; phantom-dep false positive. | ai |
Versions (showing 51 of 324)
| Version | Deps | Published |
|---|---|---|
| 18.24.0 | 17 / 34 | |
| 18.22.0 | 17 / 34 | |
| 18.21.0 | 17 / 34 | |
| 18.20.0 | 17 / 34 | |
| 18.19.0 | 17 / 34 | |
| 18.18.0 | 17 / 34 | |
| 18.17.0 | 17 / 34 | |
| 18.16.0 | 17 / 34 | |
| 18.15.0 | 16 / 34 | |
| 18.14.0 | 16 / 34 | |
| 18.13.0 | 16 / 34 | |
| 18.12.0 | 16 / 34 | |
| 18.11.0 | 16 / 34 | |
| 18.10.0 | 16 / 34 | |
| 18.9.0 | 16 / 34 | |
| 18.8.0 | 16 / 34 | |
| 18.7.0 | 16 / 34 | |
| 18.6.0 | 16 / 34 | |
| 18.5.0 | 16 / 34 | |
| 18.1.0 | 16 / 34 | |
| 18.0.0 | 15 / 34 | |
| 17.67.0 | 15 / 34 | |
| 17.65.0 | 15 / 36 | |
| 17.64.0 | 15 / 36 | |
| 17.63.0 | 15 / 36 | |
| 17.62.0 | 15 / 36 | |
| 17.61.1 | 15 / 36 | |
| 17.61.0 | 15 / 36 | |
| 17.60.0 | 15 / 36 | |
| 17.59.0 | 14 / 33 | |
| 17.58.0 | 14 / 33 | |
| 17.56.0 | 14 / 33 | |
| 17.55.1 | 14 / 33 | |
| 17.55.0 | 13 / 37 | |
| 17.54.0 | 13 / 37 | |
| 17.53.0 | 13 / 37 | |
| 17.52.0 | 13 / 37 | |
| 17.51.0 | 13 / 37 | |
| 17.50.0 | 13 / 37 | |
| 17.49.1 | 13 / 37 | |
| 17.49.0 | 13 / 37 | |
| 17.48.0 | 13 / 37 | |
| 17.47.0 | 13 / 37 | |
| 17.46.0 | 13 / 37 | |
| 17.45.0 | 13 / 37 | |
| 17.44.0 | 13 / 37 | |
| 17.43.0 | 13 / 37 | |
| 17.42.0 | 13 / 37 | |
| 17.41.0 | 13 / 32 | |
| 17.40.0 | 13 / 31 | |
| 17.39.0 | 13 / 31 |
v18.24.0
3 findingsDependency 'editing-traces' in `devDependencies` points to 'git+https://github.com/streamich/editing-traces.git#71c6d732956dbe08a490f8cd9764214bd3d4c9b7' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Dependency 'json-crdt-traces' in `devDependencies` points to 'git+https://github.com/streamich/json-crdt-traces.git#ec825401dc05cbb74b9e0b3c4d6527399f54d54d' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.22.0
3 findingsDependency 'editing-traces' in `devDependencies` points to 'git+https://github.com/streamich/editing-traces.git#71c6d732956dbe08a490f8cd9764214bd3d4c9b7' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Dependency 'json-crdt-traces' in `devDependencies` points to 'git+https://github.com/streamich/json-crdt-traces.git#ec825401dc05cbb74b9e0b3c4d6527399f54d54d' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.21.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.20.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.19.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.18.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.17.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.16.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.15.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.14.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.13.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.12.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.11.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.10.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.9.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.8.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.7.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.6.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.5.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-02. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v18.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v18.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.67.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.65.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.64.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.63.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.62.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.61.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.61.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.60.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.59.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.58.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.56.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.55.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.55.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.54.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.53.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.52.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.51.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.50.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.49.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.49.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.48.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.47.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.46.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.45.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.44.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.43.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.42.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.41.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.40.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.39.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.