nearley
Simple, fast, powerful parser toolkit for JavaScript.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Maintainer transition from hardmath123 to tjvr occurred in 2018; well-documented and stable for 6+ years. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps (moo, commander, semver, railroad-diagrams) are all established utilities; legitimate feature expansion, not malicious injection. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size drop reflects removal of nomnom and refactoring to commander; normal maintenance, not code replacement with stub. | ai | |
| dependencies | unvetted-dep:moo | AI (dependencies): moo is a standard lexer library; natural dependency for a parser generator. Established package with clear purpose. | ai | |
| npm-metadata | url-dep:railroad-diagrams | AI (npm-metadata): railroad-diagrams is an optional dependency pinned to a specific immutable git commit hash, used only for diagram generation. The immutable pin mitigates the swap risk; this is stable for this package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): tjvr is a visible contributor to nearley's GitHub repo; legitimate maintainer addition, not account compromise. | ai | |
| dependencies | unvetted-dep:nomnom | AI (dependencies): nomnom is a stable, widely-used CLI argument parser; constraint ~1.6.2 is appropriate for this package. | ai | |
| provenance | no-provenance | AI (provenance): nearley predates Sigstore provenance; absence is expected for packages of this age and does not indicate risk. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads user-provided grammar files in test tool; intended use case for parser generator, not arbitrary module loading. | ai |
Versions (showing 51 of 92)
| Version | Deps | Published |
|---|---|---|
| 2.20.1 | 4 / 11 | |
| 2.20.0 | 5 / 11 | |
| 2.19.9 | 5 / 11 | |
| 2.19.8 | 5 / 11 | |
| 2.19.7 | 5 / 11 | |
| 2.19.6 | 5 / 11 | |
| 2.19.5 | 5 / 11 | |
| 2.19.4 | 5 / 11 | |
| 2.19.3 | 5 / 11 | |
| 2.19.2 | 5 / 11 | |
| 2.19.1 | 5 / 11 | |
| 2.19.0 | 5 / 11 | |
| 2.18.0 | 5 / 11 | |
| 2.17.0 | 5 / 11 | |
| 2.16.0 | 5 / 11 | |
| 2.15.1 | 5 / 11 | |
| 2.15.0 | 5 / 11 | |
| 2.14.0 | 5 / 11 | |
| 2.13.0 | 4 / 12 | |
| 2.12.2 | 5 / 11 | |
| 2.12.1 | 5 / 11 | |
| 2.12.0 | 5 / 11 | |
| 2.11.2 | 4 / 12 | |
| 2.11.1 | 4 / 12 | |
| 2.11.0 | 3 / 10 | |
| 2.10.5 | 3 / 10 | |
| 2.10.4 | 3 / 10 | |
| 2.10.3 | 3 / 10 | |
| 2.10.2 | 3 / 9 | |
| 2.10.1 | 3 / 9 | |
| 2.10.0 | 3 / 9 | |
| 2.9.3 | 3 / 6 | |
| 2.9.2 | 3 / 6 | |
| 2.9.1 | 3 / 6 | |
| 2.9.0 | 3 / 6 | |
| 2.8.0 | 3 / 5 | |
| 2.7.15 | 3 / 5 | |
| 2.7.14 | 3 / 5 | |
| 2.7.13 | 3 / 3 | |
| 2.7.12 | 3 / 3 | |
| 2.7.11 | 3 / 3 | |
| 2.7.10 | 3 / 3 | |
| 2.7.9 | 4 / 3 | |
| 2.7.8 | 4 / 3 | |
| 2.7.7 | 4 / 3 | |
| 2.7.6 | 4 / 3 | |
| 2.7.5 | 4 / 3 | |
| 2.7.4 | 4 / 3 | |
| 2.7.3 | 4 / 3 | |
| 2.7.2 | 4 / 3 | |
| 2.7.1 | 4 / 3 |
v2.20.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.20.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.19.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.19.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.19.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.19.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.19.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.19.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.19.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.15.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.