nunjucks
A powerful templating engine with inheritance, asynchronous control, and more (jinja2 inspired)
1
Versions
BSD-2-Clause
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
jlongstervecmezonisamypessecarljmfdintino
Keywords
templatetemplating
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:postinstall | AI (install-scripts): Nunjucks postinstall runs 'node postinstall-build.js src' to compile the template engine from source — a documented, benign build step for this package. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): Commander is used by the nunjucks-precompile CLI binary (bin/precompile), not the main module. Phantom-dep detection fires because it's not imported in the main entry point, but it's legitimately needed. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() is expected in a template engine that compiles templates to JS at runtime; this is core to nunjucks' design and not a security concern in isolation. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 3.2.4 | 3 / 29 |