← Home

lineman

npm Repository Homepage

A grunt-based project scaffold for HTML/CSS/JS apps

6
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

davemosearlsjasonkarns

Keywords

linemangruntyeomanbuildhappinessscaffold

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:grunt-contrib-concat AI (phantom-deps): Lineman is a grunt-based build tool that dynamically loads grunt plugins via config; phantom deps are expected and stable for this package. ai
phantom-deps phantom-dep:grunt-contrib-handlebars AI (phantom-deps): Same as above — grunt plugin loaded via config, not direct require. Expected pattern for lineman. ai
phantom-deps phantom-dep:grunt-asset-fingerprint AI (phantom-deps): Grunt plugin declared as peer dep for dynamic loading — false positive for lineman's build tool architecture. ai
phantom-deps phantom-dep:grunt-contrib-less AI (phantom-deps): Grunt plugin declared as peer dep for dynamic loading — false positive for lineman's build tool architecture. ai
phantom-deps phantom-dep:grunt-contrib-sass AI (phantom-deps): Grunt plugin declared as peer dep for dynamic loading — false positive for lineman's build tool architecture. ai
phantom-deps phantom-dep:grunt-contrib-clean AI (phantom-deps): Grunt plugin declared as peer dep for dynamic loading — false positive for lineman's build tool architecture. ai
phantom-deps phantom-dep:grunt-watch-nospawn AI (phantom-deps): Grunt plugin declared as peer dep for dynamic loading — false positive for lineman's build tool architecture. ai
phantom-deps phantom-dep:grunt-contrib-coffee AI (phantom-deps): Grunt plugin declared as peer dep for dynamic loading — false positive for lineman's build tool architecture. ai
phantom-deps phantom-dep:grunt-contrib-cssmin AI (phantom-deps): Grunt plugin declared as peer dep for dynamic loading — false positive for lineman's build tool architecture. ai
phantom-deps phantom-dep:grunt-contrib-jshint AI (phantom-deps): Grunt plugin declared as peer dep for dynamic loading — false positive for lineman's build tool architecture. ai
phantom-deps phantom-dep:grunt-contrib-uglify AI (phantom-deps): Grunt plugin declared as peer dep for dynamic loading — false positive for lineman's build tool architecture. ai
phantom-deps phantom-dep:watch_r-structr-lock AI (phantom-deps): Lineman's dynamic plugin loading architecture makes phantom-dep findings false positives for this package. ai
phantom-deps phantom-dep:grunt-concat-sourcemap AI (phantom-deps): Grunt plugin declared as peer dep for dynamic loading — false positive for lineman's build tool architecture. ai
phantom-deps phantom-dep:lodash AI (phantom-deps): Lineman is a build orchestration tool that declares grunt plugins and utilities as peer/optional deps loaded dynamically at runtime — phantom-dep findings are structural false positives for this package. ai
phantom-deps phantom-dep:semver AI (phantom-deps): Same as above — lineman's design involves dynamic loading of declared deps; phantom-dep is a false positive for this build tool. ai
phantom-deps phantom-dep:resolve AI (phantom-deps): Lineman's dynamic plugin loading architecture makes phantom-dep findings false positives for this package. ai
phantom-deps phantom-dep:commander AI (phantom-deps): Lineman's dynamic plugin loading architecture makes phantom-dep findings false positives for this package. ai
phantom-deps phantom-dep:config-extend AI (phantom-deps): Lineman's dynamic plugin loading architecture makes phantom-dep findings false positives for this package. ai
phantom-deps phantom-dep:grunt-contrib-jst AI (phantom-deps): Grunt plugin declared as peer dep for dynamic loading — false positive for lineman's build tool architecture. ai
phantom-deps phantom-dep:underscore.string AI (phantom-deps): Lineman's dynamic plugin loading architecture makes phantom-dep findings false positives for this package. ai
phantom-deps phantom-dep:grunt-contrib-copy AI (phantom-deps): Grunt plugin declared as peer dep for dynamic loading — false positive for lineman's build tool architecture. ai
provenance no-provenance AI (provenance): Package is 5023 days old, predating Sigstore provenance by years. No provenance is expected and stable for this package. ai
phantom-deps phantom-dep:testem AI (phantom-deps): The package.json shown is a scaffold template for generated projects, not lineman's own manifest; phantom dep finding is a false positive. ai
phantom-deps phantom-dep:grunt-contrib AI (phantom-deps): Same as testem — declared in lineman's project scaffold template, not lineman's own runtime dependencies. ai
semgrep semgrep:child-process-import AI (semgrep): Lineman is a build tool; child_process usage for executing system commands is expected and documented behavior for this package. ai
semgrep semgrep:eval-usage AI (semgrep): eval() is in jasmine-given.js test helper for operand evaluation — a known pattern in Jasmine test helpers, not a supply-chain risk. ai
phantom-deps phantom-dep:grunt AI (phantom-deps): Lineman is a grunt-based scaffold; grunt plugins are loaded dynamically by name, not via direct require(). Phantom-dep false positive for this architecture. ai
semgrep semgrep:dynamic-require AI (semgrep): require(process.env['LINEMAN_MAIN']) is a documented lineman feature for specifying the main entry point; stable and intentional across all versions. ai
phantom-deps phantom-dep:express AI (phantom-deps): Express is loaded dynamically as part of lineman's dev server; indirect loading pattern expected for this build scaffold. ai
phantom-deps phantom-dep:http-proxy AI (phantom-deps): http-proxy is used indirectly via lineman's proxy configuration; dynamic loading pattern expected for this build scaffold. ai
semgrep semgrep:new-function-constructor AI (semgrep): new Function() is in jasmine-fixture.js test helper for template evaluation — standard pattern in older Jasmine helpers, not a supply-chain risk. ai

Versions (showing 6 of 6)

Version Deps Published
0.24.3 25 / 1
0.18.1 21 / 0
0.1.0 5 / 0
0.0.3 2 / 1
0.0.2 2 / 1
0.0.1 2 / 1

v0.24.3

2 findings
HIGH Unclaimed maintainer email domain: karns.name email-domain

Maintainer email '[email protected]' uses domain 'karns.name' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.18.1

2 findings
HIGH Unclaimed maintainer email domain: karns.name email-domain

Maintainer email '[email protected]' uses domain 'karns.name' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.