nearley MIT 92 versions

nearley

npm Repository Homepage

Simple, fast, powerful parser toolkit for JavaScript.

92

Versions

MIT

License

No

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

hardmath123tjvr

Keywords

parserparsegeneratorcompilercompilegrammarlanguage

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Maintainer transition from hardmath123 to tjvr occurred in 2018; well-documented and stable for 6+ years.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): New deps (moo, commander, semver, railroad-diagrams) are all established utilities; legitimate feature expansion, not malicious injection.	ai	2026/04/22
source-diff	source-size-dropped	AI (source-diff): Size drop reflects removal of nomnom and refactoring to commander; normal maintenance, not code replacement with stub.	ai	2026/04/22
dependencies	unvetted-dep:moo	AI (dependencies): moo is a standard lexer library; natural dependency for a parser generator. Established package with clear purpose.	ai	2026/04/22
npm-metadata	url-dep:railroad-diagrams	AI (npm-metadata): railroad-diagrams is an optional dependency pinned to a specific immutable git commit hash, used only for diagram generation. The immutable pin mitigates the swap risk; this is stable for this package.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): tjvr is a visible contributor to nearley's GitHub repo; legitimate maintainer addition, not account compromise.	ai	2026/04/22
dependencies	unvetted-dep:nomnom	AI (dependencies): nomnom is a stable, widely-used CLI argument parser; constraint ~1.6.2 is appropriate for this package.	ai	2026/04/22
provenance	no-provenance	AI (provenance): nearley predates Sigstore provenance; absence is expected for packages of this age and does not indicate risk.	ai	2026/04/22
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require loads user-provided grammar files in test tool; intended use case for parser generator, not arbitrary module loading.	ai	2026/04/21

Versions (showing 92 of 92)

Version	Deps	Published
2.20.1	4 / 11	2020-12-06
2.20.0	5 / 11	2020-12-04
2.19.9	5 / 11	2020-11-29
2.19.8	5 / 11	2020-11-21
2.19.7	5 / 11	2020-09-20
2.19.6	5 / 11	2020-08-20
2.19.5	5 / 11	2020-07-15
2.19.4	5 / 11	2020-06-16
2.19.3	5 / 11	2020-05-01
2.19.2	5 / 11	2020-04-13
2.19.1	5 / 11	2020-01-16
2.19.0	5 / 11	2019-08-31
2.18.0	5 / 11	2019-07-30
2.17.0	5 / 11	2019-07-28
2.16.0	5 / 11	2018-12-21
2.15.1	5 / 11	2018-08-08
2.15.0	5 / 11	2018-07-19
2.14.0	5 / 11	2018-07-19
2.13.0	4 / 12	2018-03-07
2.12.2	5 / 11	2018-07-19
2.12.1	5 / 11	2018-03-04
2.12.0	5 / 11	2018-03-04
2.11.2	4 / 12	2018-03-04
2.11.1	4 / 12	2018-02-11
2.11.0	3 / 10	2017-08-24
2.10.5	3 / 10	2017-08-21
2.10.4	3 / 10	2017-08-15
2.10.3	3 / 10	2017-08-09
2.10.2	3 / 9	2017-07-15
2.10.1	3 / 9	2017-06-17
2.10.0	3 / 9	2017-06-07
2.9.3	3 / 6	2017-06-02
2.9.2	3 / 6	2017-05-12
2.9.1	3 / 6	2017-05-12
2.9.0	3 / 6	2017-05-05
2.8.0	3 / 5	2017-03-09
2.7.15	3 / 5	2017-03-09
2.7.14	3 / 5	2017-02-27
2.7.13	3 / 3	2017-02-18
2.7.12	3 / 3	2017-02-12
2.7.11	3 / 3	2017-01-21
2.7.10	3 / 3	2016-12-07
2.7.9	4 / 3	2016-12-06
2.7.8	4 / 3	2016-11-23
2.7.7	4 / 3	2016-10-18
2.7.6	4 / 3	2016-10-18
2.7.5	4 / 3	2016-10-04
2.7.4	4 / 3	2016-10-02
2.7.3	4 / 3	2016-08-02
2.7.2	4 / 3	2016-08-02
2.7.1	4 / 3	2016-07-26
2.7.0	4 / 3	2016-07-25
2.6.0	4 / 3	2016-06-13
2.5.0	4 / 3	2016-05-21
2.4.1	4 / 3	2016-03-19
2.4.0	4 / 2	2016-02-11
2.3.0	4 / 2	2016-02-11
2.2.0	3 / 2	2016-01-24
2.1.1	3 / 0	2016-01-04
2.0.1	3 / 0	2016-01-02
2.0.0	3 / 0	2015-12-28
1.9.0	2 / 0	2015-12-18
1.8.0	2 / 0	2015-09-30
1.7.0	2 / 0	2015-09-27
1.6.2	2 / 0	2015-09-21
1.6.1	2 / 0	2015-09-21
1.6.0	2 / 0	2015-09-20
1.5.0	2 / 0	2015-07-28
1.4.0	2 / 0	2015-05-12
1.3.1	2 / 0	2015-05-12
1.3.0	2 / 0	2015-05-12
1.2.2	2 / 0	2015-05-02
1.2.1	1 / 0	2014-12-27
1.2.0	1 / 0	2014-11-16
1.1.0	1 / 0	2014-11-10
1.0.1	1 / 0	2014-10-25
1.0.0	1 / 0	2014-10-16
0.4.0	1 / 0	2014-10-10
0.3.0	1 / 0	2014-10-09
0.2.3	1 / 0	2014-10-07
0.2.2	1 / 0	2014-05-26
0.2.1	1 / 0	2014-04-20
0.2.0	1 / 0	2014-04-12
0.1.1	1 / 1	2014-03-29
0.1.0	1 / 1	2014-03-29
0.0.7	1 / 0	2014-03-19
0.0.6	1 / 0	2014-03-19
0.0.5	1 / 0	2014-03-11
0.0.4	1 / 0	2014-03-03
0.0.3	1 / 0	2014-02-25
0.0.2	1 / 0	2014-02-24
0.0.1	1 / 0	2014-02-23

v2.20.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.20.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.19.9

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.19.7

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.19.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.19.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.19.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.19.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.19.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.18.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.17.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.15.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.15.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.14.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.12.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.12.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.