← Home

shiki

npm Repository Homepage

A beautiful Syntax Highlighter.

14
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

antfuortaoctrefshiki-deploys

Keywords

shiki

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/langs-bundle-full-MHKA2PDZ.d.mts AI (source-diff): TypeScript declaration with long string-literal union type, not obfuscation. Stable pattern for this package. ai
source-diff obfuscated-file:dist/langs-bundle-full-C-zczmvu.d.mts AI (source-diff): TypeScript declaration file with long union-type lines of language names; not obfuscation. ai
publish-pattern dormant-publish AI (publish-pattern): Shiki migrated to shikijs monorepo; CI-published with SLSA provenance, not an account takeover signal. ai
source-diff large-new-source-files AI (source-diff): Shiki regularly adds language/theme grammar files; large file counts are expected for this package. ai
bogus-package bogus-package AI (bogus-package): antfu (Anthony Fu) is a well-known legitimate OSS developer and shiki maintainer; inflated semver reflects a major rewrite, not spam; SLSA provenance confirms CI/CD publish. Bogus signals are false positives for this package. ai
phantom-deps phantom-dep:@types/hast AI (phantom-deps): @types/hast is used for re-exported TypeScript types, not direct runtime imports; this pattern is expected for TypeScript packages. ai
dependencies unvetted-dep:@shikijs/core AI (dependencies): @shikijs/core is a first-party monorepo package from the shiki project; always a legitimate dependency. ai
dependencies unvetted-dep:@shikijs/engine-javascript AI (dependencies): @shikijs/engine-javascript is a first-party monorepo package from the shiki project; always a legitimate dependency. ai
dependencies unvetted-dep:@types/hast AI (dependencies): @types/hast is a well-known DefinitelyTyped package; its use as a re-exported type dependency is standard practice. ai

Versions (showing 14 of 14)

Version Deps Published
4.1.0 8 / 4
4.0.2 8 / 4
4.0.1 8 / 4
4.0.0 8 / 4
3.23.0 8 / 4
3.22.0 8 / 4
3.21.0 8 / 4
3.20.0 8 / 4
3.19.0 8 / 4
3.18.0 8 / 4
3.17.1 8 / 4
3.17.0 8 / 4
3.16.0 8 / 4
3.15.0 8 / 4

v4.1.0

2 findings
HIGH New obfuscated file: dist/langs-bundle-full-MHKA2PDZ.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.1

2 findings
HIGH New obfuscated file: dist/langs-bundle-full-C-zczmvu.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.23.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.22.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.21.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.20.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.19.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.18.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.17.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.17.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.16.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.15.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.