← Home

prettier

npm Repository Homepage

Prettier is an opinionated code formatter

57
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jlongsterlydellthorn0vjeuxfiskersuchipiduailibeikatyangazzsosukesuzukiprettier-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
bogus-package bogus-package AI (bogus-package): prettier bundles all deps (no declared deps by design), has no keywords by convention, and is a legitimate incremental release not a new package. ai
semgrep semgrep:toplevel-fetch AI (semgrep): fetch() in experimental-cli-worker.mjs is part of prettier's experimental CLI plugin/config fetching feature, not telemetry or exfiltration. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Reflect.get() in bundled standalone.js is standard rollup/esbuild output pattern, not obfuscation. ai
maintainer-change maintainer-added AI (maintainer-change): prettier-bot is the established automated publisher for the prettier project; maintainer addition is legitimate. ai
provenance publisher-changed AI (provenance): prettier-bot is the project's official publishing bot with 164 approved versions; publisher transition is legitimate and stable. ai
source-diff net-exec-file:cli.js AI (source-diff): cli.js is a bundled build artifact inlining core-js polyfills; global detection and HTTP usage are expected for prettier's CLI. Stable FP for this package. ai
source-diff obfuscated-file:internal/experimental-cli.mjs AI (source-diff): Bundled CLI output from esbuild; long lines are standard bundler artifacts, not obfuscation. Stable for prettier. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require() is an intentional part of Prettier's plugin/parser loading architecture in its bundled third-party.js; stable false positive for this package. ai
semgrep semgrep:eval-usage AI (semgrep): eval('require') is a known legitimate pattern to access require without bundler interference; used in module resolution utilities within prettier's third-party.js. ai
semgrep semgrep:new-function-constructor AI (semgrep): Fires on bundled third-party parser code (PostCSS). Dynamic construction is expected in parser bundles; not malicious for prettier. ai
semgrep semgrep:base64-decode AI (semgrep): Pattern match on minified UMD wrapper in bundled parser-postcss.js; no actual base64 payload present. Stable false positive for prettier's bundled parsers. ai
provenance no-provenance AI (provenance): Prettier 2.x predates widespread provenance adoption; absence is expected for this era. Package trust is well-established by other signals. ai

Versions (showing 57 of 157)

Hide prereleases
Version Deps Published
1.10.1 0 / 28
1.10.0 0 / 28
1.9.2 0 / 26
1.9.1 0 / 26
1.9.0 0 / 26
1.8.2 0 / 25
1.8.1 0 / 25
1.8.0 0 / 25
1.7.4 0 / 26
1.7.3 0 / 25
1.7.2 0 / 25
1.7.1 0 / 25
1.7.0 0 / 25
1.6.1 0 / 25
1.6.0 0 / 25
1.5.3 0 / 20
1.5.2 0 / 20
1.5.1 0 / 20
1.5.0 0 / 20
1.4.4 0 / 37
1.4.3 0 / 37
1.4.2 0 / 34
1.4.1 0 / 34
1.4.0 0 / 34
1.3.1 10 / 12
1.3.0 10 / 12
1.2.2 10 / 12
1.2.1 10 / 12
1.2.0 10 / 12
1.1.0 10 / 12
1.0.2 10 / 12
1.0.1 10 / 12
1.0.0 12 / 12
0.22.0 10 / 10
0.21.0 10 / 8
0.20.0 10 / 8
0.19.0 10 / 9
0.18.0 10 / 9
0.17.1 10 / 9
0.17.0 10 / 9
0.16.0 9 / 8
0.15.0 9 / 8
0.14.1 9 / 8
0.14.0 9 / 8
0.13.1 9 / 8
0.11.0 8 / 8
0.0.10 8 / 7
0.0.9 8 / 6
0.0.8 8 / 6
0.0.7 8 / 6
0.0.6 8 / 6
0.0.5 8 / 1
0.0.4 7 / 1
0.0.3 5 / 1
0.0.2 5 / 1
0.0.1 5 / 1
4.0.0-alpha.13 0 / 0