npm-package-json-lint
Configurable linter for package.json files.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:ajv-errors | AI (phantom-deps): Dependency is bundled into dist by tsdown; legitimately declared and used. | ai | |
| phantom-deps | phantom-dep:cosmiconfig | AI (phantom-deps): Dependency is bundled into dist by tsdown; legitimately declared and used. | ai | |
| phantom-deps | phantom-dep:is-plain-obj | AI (phantom-deps): Dependency is bundled into dist by tsdown; legitimately declared and used. | ai | |
| phantom-deps | phantom-dep:jsonc-parser | AI (phantom-deps): Dependency is bundled into dist by tsdown; legitimately declared and used. | ai | |
| phantom-deps | phantom-dep:strip-json-comments | AI (phantom-deps): Dependency is bundled into dist by tsdown; legitimately declared and used. | ai | |
| phantom-deps | phantom-dep:validate-npm-package-name | AI (phantom-deps): Dependency is bundled into dist by tsdown; legitimately declared and used. | ai | |
| phantom-deps | phantom-dep:ignore | AI (phantom-deps): Dependency is bundled into dist by tsdown; legitimately declared and used. | ai | |
| source-diff | obfuscated-file:dist/rules/dependency-audit.js | AI (source-diff): Minified bundled output from tsdown build tool; content is semantically transparent linting logic, not obfuscated malware. This pattern will recur in all future dist builds. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large dist output is expected after migration from esbuild/tsc to tsdown bundler, which inlines dependencies into dist. Stable pattern for this package going forward. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): Dependency is bundled into dist by tsdown; not directly imported in source but legitimately declared and used. | ai | |
| phantom-deps | phantom-dep:ajv | AI (phantom-deps): Dependency is bundled into dist by tsdown; legitimately declared and used. | ai | |
| phantom-deps | phantom-dep:meow | AI (phantom-deps): Dependency is bundled into dist by tsdown; legitimately declared and used. | ai | |
| phantom-deps | phantom-dep:chalk | AI (phantom-deps): Dependency is bundled into dist by tsdown; legitimately declared and used. | ai | |
| phantom-deps | phantom-dep:debug | AI (phantom-deps): Dependency is bundled into dist by tsdown; legitimately declared and used. | ai | |
| phantom-deps | phantom-dep:slash | AI (phantom-deps): Dependency is bundled into dist by tsdown; legitimately declared and used. | ai | |
| phantom-deps | phantom-dep:globby | AI (phantom-deps): Dependency is bundled into dist by tsdown; legitimately declared and used. | ai |
Versions (showing 51 of 89)
| Version | Deps | Published |
|---|---|---|
| 10.4.0 | 14 / 20 | |
| 10.3.0 | 14 / 20 | |
| 10.2.2 | 16 / 20 | |
| 10.2.1 | 15 / 20 | |
| 10.2.0 | 17 / 23 | |
| 10.1.0 | 17 / 23 | |
| 10.0.0 | 17 / 23 | |
| 9.1.0 | 17 / 21 | |
| 9.0.0 | 17 / 21 | |
| 8.0.0 | 17 / 21 | |
| 7.1.0 | 17 / 21 | |
| 7.0.0 | 17 / 21 | |
| 6.4.0 | 17 / 21 | |
| 6.3.0 | 17 / 21 | |
| 6.2.0 | 17 / 21 | |
| 6.1.0 | 17 / 21 | |
| 6.0.3 | 17 / 21 | |
| 6.0.2 | 17 / 21 | |
| 6.0.1 | 17 / 21 | |
| 6.0.0 | 17 / 21 | |
| 5.4.2 | 15 / 12 | |
| 5.4.1 | 15 / 12 | |
| 5.4.0 | 15 / 12 | |
| 5.3.0 | 15 / 12 | |
| 5.2.4 | 15 / 12 | |
| 5.2.3 | 15 / 12 | |
| 5.2.2 | 15 / 12 | |
| 5.2.1 | 15 / 12 | |
| 5.2.0 | 15 / 12 | |
| 5.1.0 | 15 / 12 | |
| 5.0.0 | 15 / 12 | |
| 4.6.0 | 15 / 11 | |
| 4.5.2 | 15 / 11 | |
| 4.5.1 | 15 / 11 | |
| 4.5.0 | 14 / 11 | |
| 4.4.0 | 13 / 11 | |
| 4.3.0 | 13 / 11 | |
| 4.2.0 | 13 / 11 | |
| 4.1.1 | 13 / 11 | |
| 4.1.0 | 13 / 11 | |
| 4.0.5 | 13 / 11 | |
| 4.0.4 | 13 / 11 | |
| 4.0.3 | 13 / 11 | |
| 4.0.2 | 13 / 11 | |
| 4.0.1 | 13 / 11 | |
| 4.0.0 | 13 / 11 | |
| 3.7.0 | 13 / 9 | |
| 3.6.1 | 13 / 9 | |
| 3.6.0 | 13 / 9 | |
| 3.5.0 | 13 / 9 | |
| 3.4.1 | 12 / 9 |
v10.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.2.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.2.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.1.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-02. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.