monaco-editor
A browser based code editor
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:pin-github-action | AI (phantom-deps): pin-github-action is a CI workflow utility used only in the update-actions script; not imported at runtime. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:shelljs | AI (phantom-deps): shelljs is a build/scripting tool mistakenly placed in dependencies instead of devDependencies; not imported at runtime by consumers. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/shelljs | AI (phantom-deps): @types/shelljs is a TypeScript type definition for build tooling; not a runtime dependency. Stable false positive for this package. | ai | |
| dependencies | unvetted-dep:pin-github-action | AI (dependencies): pin-github-action is a CI tooling dependency used only for GitHub Actions workflow pinning; poses no runtime risk to consumers of monaco-editor. | ai | |
| semgrep | semgrep:toplevel-fetch | AI (semgrep): False positive: 'fetch' is a class method name (fetch(providers, ...)), not a top-level HTTP fetch() call. | ai | |
| phantom-deps | phantom-dep:marked | AI (phantom-deps): marked is a legitimate runtime dep used by monaco-editor for Markdown rendering; bundled at build time so no direct import in distributed source. | ai | |
| phantom-deps | phantom-dep:dompurify | AI (phantom-deps): dompurify is a legitimate runtime dep used by monaco-editor for HTML sanitization; bundled at build time so no direct import in distributed source. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() in Monaco's AMD loader is intentional and documented — the loader is designed to dynamically evaluate JS modules in the browser. CodeQL suppression comments confirm this is a known, reviewed pattern. | ai | |
| provenance | no-provenance | AI (provenance): microsoft1es is a well-established publisher with thousands of approved packages; lack of Sigstore provenance is not a meaningful risk signal here. | ai |
Versions (showing 100 of 192)
| Version | Deps | Published |
|---|---|---|
| 0.55.1 | 2 / 47 | |
| 0.55.0 | 2 / 47 | |
| 0.54.0 | 2 / 37 | |
| 0.53.0 | 1 / 36 | |
| 0.52.2 | 0 / 36 | |
| 0.52.0 | 0 / 36 | |
| 0.51.0 | 0 / 36 | |
| 0.50.0 | 0 / 36 | |
| 0.49.0 | 0 / 36 | |
| 0.48.0 | 0 / 36 | |
| 0.47.0 | 0 / 36 | |
| 0.46.0 | 0 / 36 | |
| 0.45.0 | 0 / 36 | |
| 0.44.0 | 0 / 36 | |
| 0.43.0 | 0 / 36 | |
| 0.41.0 | 0 / 36 | |
| 0.40.0 | 0 / 36 | |
| 0.39.0 | 0 / 36 | |
| 0.38.0 | 0 / 36 | |
| 0.37.1 | 0 / 36 | |
| 0.37.0 | 0 / 36 | |
| 0.36.1 | 0 / 37 | |
| 0.36.0 | 3 / 34 | |
| 0.35.0 | 0 / 33 | |
| 0.34.1 | 0 / 27 | |
| 0.34.0 | 0 / 27 | |
| 0.33.0 | 0 / 27 | |
| 0.32.1 | 0 / 27 | |
| 0.32.0 | 0 / 27 | |
| 0.31.1 | 0 / 26 | |
| 0.31.0 | 0 / 26 | |
| 0.30.1 | 0 / 27 | |
| 0.30.0 | 0 / 15 | |
| 0.29.1 | 0 / 15 | |
| 0.29.0 | 0 / 15 | |
| 0.28.1 | 0 / 15 | |
| 0.28.0 | 0 / 15 | |
| 0.27.0 | 0 / 15 | |
| 0.26.1 | 0 / 15 | |
| 0.26.0 | 0 / 15 | |
| 0.25.2 | 0 / 15 | |
| 0.25.1 | 0 / 15 | |
| 0.25.0 | 0 / 15 | |
| 0.24.0 | 0 / 15 | |
| 0.23.0 | 0 / 15 | |
| 0.22.3 | 0 / 16 | |
| 0.22.2 | 0 / 16 | |
| 0.22.1 | 0 / 16 | |
| 0.22.0 | 0 / 16 | |
| 0.21.3 | 0 / 16 | |
| 0.21.2 | 0 / 26 | |
| 0.21.1 | 0 / 26 | |
| 0.21.0 | 0 / 26 | |
| 0.20.0 | 0 / 27 | |
| 0.19.3 | 0 / 27 | |
| 0.19.2 | 0 / 27 | |
| 0.19.1 | 0 / 27 | |
| 0.19.0 | 0 / 27 | |
| 0.18.1 | 0 / 16 | |
| 0.18.0 | 0 / 16 | |
| 0.17.1 | 0 / 16 | |
| 0.17.0 | 0 / 16 | |
| 0.16.2 | 0 / 16 | |
| 0.16.1 | 0 / 16 | |
| 0.16.0 | 0 / 16 | |
| 0.15.6 | 0 / 16 | |
| 0.15.5 | 0 / 16 | |
| 0.15.4 | 0 / 16 | |
| 0.15.3 | 0 / 16 | |
| 0.15.2 | 0 / 16 | |
| 0.15.1 | 0 / 16 | |
| 0.15.0 | 0 / 16 | |
| 0.14.3 | 0 / 16 | |
| 0.14.2 | 0 / 16 | |
| 0.14.1 | 0 / 16 | |
| 0.14.0 | 0 / 16 | |
| 0.13.1 | 0 / 16 | |
| 0.13.0 | 0 / 16 | |
| 0.12.0 | 0 / 16 | |
| 0.11.1 | 0 / 16 | |
| 0.11.0 | 0 / 16 | |
| 0.10.1 | 0 / 14 | |
| 0.10.0 | 0 / 14 | |
| 0.9.0 | 0 / 14 | |
| 0.8.3 | 0 / 14 | |
| 0.8.2 | 0 / 14 | |
| 0.8.1 | 0 / 14 | |
| 0.8.0 | 0 / 14 | |
| 0.7.0 | 0 / 10 | |
| 0.6.1 | 0 / 9 | |
| 0.6.0 | 0 / 9 | |
| 0.5.3 | 0 / 9 | |
| 0.5.1 | 0 / 8 | |
| 0.5.0 | 0 / 8 | |
| 0.4.0 | 0 / 7 | |
| 0.3.1 | 0 / 7 | |
| 0.2.4 | 0 / 5 | |
| 0.2.3 | 0 / 5 | |
| 0.0.1 | 0 / 0 | |
| 0.56.0-dev-20260211 | 2 / 47 |
v0.55.1
3 findingsDeclared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.55.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.54.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.53.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.52.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.52.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.51.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.50.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.49.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.48.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.47.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.46.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.45.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.44.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.43.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.41.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.40.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.39.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.38.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.37.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.37.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.36.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.36.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.35.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.34.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.34.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.33.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.32.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.32.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.31.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.31.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.30.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.30.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.29.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.29.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.28.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.28.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.27.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.26.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.26.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.24.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.23.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.22.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.22.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.22.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.22.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.21.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.21.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.21.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.21.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.20.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.19.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.19.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.19.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.19.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.18.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.17.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.16.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.16.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.14.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.14.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.14.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.