← Home

recast

npm Repository Homepage

JavaScript syntax tree transformer, nondestructive pretty-printer, and automatic source map generator

51
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

eventualbuddhabenjamn

Keywords

astrewritingrefactoringcodegensyntaxtransformationparsingpretty-printing

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Publisher change from benjamn to eventualbuddha occurred in 2019 and is a historical legitimate maintainer transition; eventualbuddha has 101 approved packages and 0 rejections. ai
dependencies unvetted-dep:cls AI (dependencies): cls (continuation-local storage) is a legitimate utility package; its use in recast for async context tracking is plausible and no malicious signals are present. ai
source-diff source-size-tripled AI (source-diff): Size increase is entirely explained by the addition of the 268KB jQuery test fixture, a legitimate test data file for an AST transformation library. ai
npm-metadata url-dep:esprima AI (npm-metadata): benjamn (recast's author) maintains the esprima fork; same publisher controls both repos. URL dep is a known pattern for this package's early versions. ai
phantom-deps phantom-dep:whiskey AI (phantom-deps): Whiskey is an optionalDependency used only as a test runner in package.json scripts, not imported in source. Phantom-dep finding is a false positive for this usage pattern. ai
source-diff net-exec-file:test/data/jquery-1.9.1.js AI (source-diff): This is the canonical jQuery 1.9.1 library added as a test fixture for recast's AST transformer. Network/exec patterns are jQuery's own internals, not malware. ai
publish-pattern new-deps-added AI (publish-pattern): esprima, tiny-invariant, and tslib are all well-known, legitimate packages. Their addition reflects a major version upgrade (0.10→0.23) with TypeScript migration, not an attack vector. ai
dependencies unvetted-dep:esprima-fb AI (dependencies): esprima-fb is Facebook's harmony/JSX fork of esprima, a known and legitimate dependency for recast's AST parsing in the v0.10.x era. Not a suspicious package. ai
provenance no-provenance AI (provenance): recast is a long-established package (4960 days old) published before Sigstore provenance was standard; absence of attestation is expected and not a risk signal here. ai
typosquat typosquat.levenshtein:react AI (typosquat): recast is a long-established, well-known AST tool with no intent to impersonate react. Name similarity is coincidental. ai

Versions (showing 51 of 186)

View all versions
Version Deps Published
0.23.11 5 / 17
0.23.10 5 / 17
0.23.9 5 / 17
0.23.8 5 / 17
0.23.7 5 / 17
0.23.6 5 / 17
0.23.5 5 / 17
0.23.4 5 / 17
0.23.3 5 / 17
0.23.2 5 / 17
0.23.1 5 / 17
0.23.0 5 / 17
0.22.0 5 / 17
0.21.2 4 / 17
0.21.0 4 / 18
0.20.5 4 / 18
0.20.4 4 / 18
0.20.3 5 / 18
0.20.2 4 / 18
0.20.1 4 / 18
0.20.0 4 / 19
0.19.1 4 / 15
0.19.0 4 / 15
0.18.10 4 / 15
0.18.9 4 / 15
0.18.8 4 / 15
0.18.7 4 / 15
0.18.5 4 / 15
0.18.4 4 / 15
0.18.3 4 / 15
0.18.2 4 / 15
0.18.1 4 / 15
0.18.0 4 / 15
0.17.6 4 / 16
0.17.5 4 / 16
0.17.4 4 / 16
0.17.3 4 / 16
0.17.2 4 / 16
0.17.1 4 / 16
0.17.0 4 / 16
0.16.2 4 / 8
0.16.1 4 / 8
0.16.0 4 / 8
0.15.5 4 / 8
0.15.4 4 / 8
0.15.3 4 / 8
0.15.2 4 / 8
0.15.1 4 / 8
0.15.0 4 / 8
0.14.7 4 / 9
0.14.6 4 / 9