oxlint — Greenflagged

Linter for the JavaScript Oxidation Compiler

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

boshen

Keywords

eslintjavascriptlinteroxcoxlinttypescript

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:@oxlint/darwin-arm64	AI (phantom-deps): Platform-specific binary declared as optionalDependency; standard pattern for native bindings.	ai	2026/04/24
phantom-deps	phantom-dep:@oxlint/linux-x64	AI (phantom-deps): Platform-specific binary declared as optionalDependency; standard pattern for native bindings.	ai	2026/04/24
phantom-deps	phantom-dep:@oxlint/win32-arm64	AI (phantom-deps): Platform-specific binary declared as optionalDependency; standard pattern for native bindings.	ai	2026/04/24
phantom-deps	phantom-dep:@oxlint/linux-arm64	AI (phantom-deps): Platform-specific binary declared as optionalDependency; standard pattern for native bindings.	ai	2026/04/24
phantom-deps	phantom-dep:@oxlint/win32-x64	AI (phantom-deps): Platform-specific binary declared as optionalDependency; standard pattern for native bindings.	ai	2026/04/24
phantom-deps	phantom-dep:@oxlint/darwin-x64	AI (phantom-deps): Platform-specific binary declared as optionalDependency; standard pattern for native bindings.	ai	2026/04/24
source-diff	obfuscated-file:dist/load.d.ts	AI (source-diff): dist/load.d.ts is a bundled TypeScript declaration file with long union type lines, not obfuscated code. .d.ts files cannot execute and pose no runtime risk. Pattern is stable for this package.	ai	2026/04/24
source-diff	obfuscated-file:dist/typescript.cjs	AI (source-diff): dist/typescript.cjs is a minified bundle of source-map utilities (base64 VLQ, URL parsing), not obfuscated malware. Long lines are expected in minified dist output for this linter tool.	ai	2026/04/24
provenance	slsa-provenance	AI (provenance): SLSA provenance attestation is a positive signal confirming CI/CD publishing integrity; stable for this package.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): oxlint migrated from personal (boshen) to GitHub Actions publishing, backed by SLSA provenance attestation. This is a legitimate CI/CD transition for the oxc-project; generalizes to future versions.	ai	2026/04/24
typosquat	typosquat.levenshtein:eslint	AI (typosquat): oxlint is a legitimate, well-established linter from the oxc-project; the name similarity to eslint is intentional branding in the same domain, not a typosquat.	ai	2026/04/24
source-diff	net-exec-file:dist/lint.js	AI (source-diff): createRequire usage is standard ESM-to-CJS interop for loading ts_eslint.cjs; no actual network calls present. False positive for this linter package.	ai	2026/04/23
source-diff	obfuscated-file:dist/lint.js	AI (source-diff): dist/lint.js is a bundled/minified linter module for oxlint; long lines are from bundling, not obfuscation. Code is semantically transparent in samples.	ai	2026/04/23
source-diff	obfuscated-file:dist/ts_eslint.cjs	AI (source-diff): dist/ts_eslint.cjs is a legitimate minified bundle of TypeScript ESLint rules. Long lines are from minification, not obfuscation. SLSA provenance confirms CI/CD origin.	ai	2026/04/23
source-diff	source-size-tripled	AI (source-diff): Size increase is explained by bundling TypeScript ESLint rules (ts_eslint.cjs, 3.8MB) as a new optional feature. Legitimate growth, not injected payload.	ai	2026/04/23