semistandard — Greenflagged

All the goodness of `feross/standard` with semicolons sprinkled on top.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jhieseybretferossfletlinusumafintoshjprichardsonwatsonraynostoddbluhmvoxpelli

Keywords

JavaScript Standard Stylebikeshedcheckcheckercodecode checkercode lintercode standardscode styleenforceeslinthintjscsjshintlintpolicyqualitysemicolonsimplestandardstandard stylestylestyle checkerstyle linterverify

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Documented legitimate maintainer transition from feross to voxpelli; voxpelli is a known contributor to the standard/semistandard ecosystem with a strong track record.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers (voxpelli, jprichardson, watson, raynos, toddbluhm) are known contributors to the standard ecosystem; this reflects a legitimate team transition.	ai	2026/04/24
phantom-deps	phantom-dep:eslint-plugin-node	AI (phantom-deps): semistandard is an ESLint config wrapper; plugins are declared as deps and referenced in config files rather than directly imported — this is the expected pattern for this type of package.	ai	2026/04/24
phantom-deps	phantom-dep:eslint-plugin-import	AI (phantom-deps): ESLint plugins are loaded by ESLint via config files, not directly imported in JS. Standard pattern for ESLint tooling packages.	ai	2026/04/23
phantom-deps	phantom-dep:eslint-plugin-promise	AI (phantom-deps): ESLint plugins are loaded by ESLint via config files, not directly imported in JS. Standard pattern for ESLint tooling packages.	ai	2026/04/23
semgrep	semgrep:eval-usage	AI (semgrep): eval('import(...)') is a static-string ESM compatibility shim in bin/cmd.js; input is not user-controlled. Legitimate pattern for this package.	ai	2026/04/23
phantom-deps	phantom-dep:eslint-config-semistandard	AI (phantom-deps): ESLint configs are referenced in ESLint config files, not directly imported. Standard pattern for ESLint tooling packages.	ai	2026/04/23
phantom-deps	phantom-dep:eslint-config-standard-jsx	AI (phantom-deps): ESLint configs are referenced in ESLint config files, not directly imported. Standard pattern for ESLint tooling packages.	ai	2026/04/23
phantom-deps	phantom-dep:eslint-config-standard	AI (phantom-deps): ESLint configs are referenced in ESLint config files, not directly imported. Standard pattern for ESLint tooling packages.	ai	2026/04/23
phantom-deps	phantom-dep:eslint-plugin-n	AI (phantom-deps): ESLint plugins are loaded by ESLint via config files, not directly imported in JS. Standard pattern for ESLint tooling packages.	ai	2026/04/23
phantom-deps	phantom-dep:eslint-plugin-react	AI (phantom-deps): ESLint plugins are loaded by ESLint via config files, not directly imported in JS. Standard pattern for ESLint tooling packages.	ai	2026/04/23

Versions (showing 66 of 66)

Version	Deps	Published
17.0.0	9 / 7	2023-05-29
16.0.1	9 / 7	2021-06-14
16.0.0	10 / 7	2020-10-29
15.0.0	10 / 7	2020-10-29
14.2.3	10 / 7	2020-07-25
14.2.2	10 / 7	2020-06-24
14.2.1	10 / 7	2020-06-24
14.2.0	10 / 7	2019-09-14
14.1.0	10 / 7	2019-09-04
14.0.1	10 / 7	2019-08-19
14.0.0	10 / 7	2019-08-19
13.0.1	10 / 7	2018-11-09
13.0.0	10 / 7	2018-11-06
12.0.1	10 / 7	2018-02-22
12.0.0	10 / 7	2018-01-02
11.0.0	10 / 7	2017-04-20
10.0.0	8 / 7	2017-03-06
9.2.1	8 / 7	2016-12-05
9.2.0	8 / 7	2016-12-05
9.1.0	9 / 7	2016-10-12
9.0.0	9 / 7	2016-09-03
8.0.0	9 / 7	2016-05-16
7.0.5	11 / 8	2016-01-15
7.0.4	11 / 8	2015-11-25
7.0.3	11 / 8	2015-11-17
7.0.2	11 / 8	2015-08-04
7.0.1	11 / 8	2015-08-04
7.0.0	11 / 9	2015-08-04
6.1.2	9 / 8	2015-07-06
6.1.1	9 / 8	2015-06-18
6.1.0	9 / 8	2015-06-16
6.0.0	9 / 8	2015-06-03
5.0.0	6 / 9	2015-05-30
4.3.0	6 / 9	2015-05-29
4.2.2	6 / 9	2015-05-28
4.2.1	6 / 9	2015-05-26
4.2.0	6 / 9	2015-05-20
4.1.4	1 / 9	2015-05-03
4.1.3	1 / 9	2015-04-23
4.1.2	1 / 9	2015-04-16
4.1.1	1 / 8	2015-04-15
4.1.0	1 / 8	2015-04-14
4.0.3	1 / 8	2015-03-31
4.0.2	1 / 8	2015-03-31
4.0.1	1 / 8	2015-03-28
4.0.0	1 / 8	2015-03-28
3.3.0	10 / 8	2015-03-26
3.1.2	17 / 7	2015-03-18
2.10.0	13 / 7	2015-02-26
2.6.5	10 / 7	2015-02-20
2.6.2	10 / 7	2015-02-13
2.6.0	10 / 7	2015-02-10
2.5.0	10 / 7	2015-02-09
2.4.5	10 / 7	2015-02-07
2.4.4	9 / 7	2015-02-06
2.4.1	2 / 0	2015-02-04
2.3.2	2 / 0	2015-02-01
2.3.1	2 / 0	2015-01-31
2.3.0	2 / 0	2015-01-31
2.2.1	2 / 0	2015-01-30
2.2.0	2 / 0	2015-01-30
2.1.0	2 / 0	2015-01-30
2.0.0	2 / 0	2015-01-30
1.0.2	2 / 0	2015-01-30
1.0.1	2 / 0	2015-01-27
1.0.0	2 / 0	2015-01-27

v17.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v16.0.1

2 findings

HIGH Publisher changed: feross → voxpelli (on 2021-06-14) provenance

This version was published by a different npm account than previous versions on 2021-06-14. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v16.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.