parsimmon
A monadic LL(infinity) parser combinator library
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:install | AI (install-scripts): Early version build pattern: `make commonjs` is a local build step for this parser combinator library. No network access or obfuscation. | ai | |
| email-domain | unclaimed-email:jjmadkisson at gmail dot com | AI (email-domain): False positive: the email is a gmail.com address with obfuscated 'at'/'dot' notation, not a custom unclaimed domain. | ai | |
| email-domain | unclaimed-email:jneen at jneen dot net | AI (email-domain): Original author's anti-spam obfuscated email in package.json; npm auth is via publisher account, not this field. Stable for this package. | ai | |
| provenance | no-provenance | AI (provenance): Established package predating Sigstore provenance; informational only, no security risk. | ai |
Versions (showing 45 of 45)
| Version | Deps | Published |
|---|---|---|
| 1.18.1 | 0 / 14 | |
| 1.18.0 | 0 / 14 | |
| 1.17.0 | 0 / 14 | |
| 1.16.0 | 0 / 14 | |
| 1.15.0 | 0 / 14 | |
| 1.14.0 | 0 / 14 | |
| 1.13.0 | 0 / 14 | |
| 1.12.1 | 0 / 14 | |
| 1.12.0 | 0 / 9 | |
| 1.11.1 | 0 / 9 | |
| 1.11.0 | 0 / 9 | |
| 1.10.0 | 0 / 9 | |
| 1.9.0 | 0 / 9 | |
| 1.8.0 | 0 / 9 | |
| 1.7.3 | 0 / 9 | |
| 1.7.2 | 0 / 8 | |
| 1.7.1 | 0 / 8 | |
| 1.7.0 | 0 / 8 | |
| 1.6.4 | 0 / 8 | |
| 1.6.2 | 0 / 8 | |
| 1.6.1 | 0 / 8 | |
| 1.6.0 | 0 / 6 | |
| 1.5.0 | 0 / 7 | |
| 1.4.0 | 0 / 7 | |
| 1.3.0 | 0 / 7 | |
| 1.2.0 | 0 / 7 | |
| 1.1.0 | 0 / 7 | |
| 1.0.0 | 0 / 7 | |
| 0.9.2 | 0 / 5 | |
| 0.9.1 | 0 / 5 | |
| 0.9.0 | 0 / 5 | |
| 0.8.1 | 0 / 5 | |
| 0.8.0 | 0 / 5 | |
| 0.7.2 | 0 / 5 | |
| 0.7.0 | 1 / 3 | |
| 0.6.0 | 1 / 3 | |
| 0.5.1 | 1 / 3 | |
| 0.5.0 | 1 / 3 | |
| 0.4.0 | 1 / 3 | |
| 0.3.2 | 1 / 3 | |
| 0.3.1 | 1 / 3 | |
| 0.3.0 | 1 / 3 | |
| 0.2.1 | 1 / 3 | |
| 0.2.0 | 1 / 3 | |
| 0.0.5 | 1 / 2 |
v1.18.1
2 findingsMaintainer email 'jneen at jneen dot net' uses domain 'jneen at jneen dot net' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
2 findingsMaintainer email 'jjmadkisson at gmail dot com' uses domain 'jjmadkisson at gmail dot com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
2 findingsMaintainer email 'jjmadkisson at gmail dot com' uses domain 'jjmadkisson at gmail dot com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
2 findingsMaintainer email 'jjmadkisson at gmail dot com' uses domain 'jjmadkisson at gmail dot com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
2 findingsMaintainer email 'jjmadkisson at gmail dot com' uses domain 'jjmadkisson at gmail dot com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
2 findingsScript: make commonjs
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.5
3 findingsScript: make commonjs
Maintainer email 'jjmadkisson at gmail dot com' uses domain 'jjmadkisson at gmail dot com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.