sizzle
A pure-JavaScript, bottom-up CSS selector engine designed to be easily dropped in to a host library.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-takeover | AI (maintainer-change): The 2014 transition to timmywil/gibson042/dmethvin is a documented, legitimate jQuery Foundation maintainer handoff, not a hijack. All new maintainers are known jQuery contributors. | ai | |
| source-diff | net-exec-file:dist/sizzle.js | AI (source-diff): dist/sizzle.js is the Sizzle CSS selector engine build artifact. Dynamic code patterns are part of CSS selector compilation, not malicious network/exec behavior. Stable false positive for this package. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from timmywil to gibson042 occurred in 2014 as part of a legitimate jQuery Foundation team transition. gibson042 is a known jQuery core contributor with a strong track record. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): gibson042 and dmethvin are well-known jQuery Foundation contributors; their addition reflects a legitimate organizational handoff over a decade ago. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of ded and rvagg is consistent with the 2014 jQuery Foundation transition; no evidence of malicious takeover. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance attestation by many years; absence of provenance is expected for this era of publishing. | ai |
Versions (showing 15 of 15)
| Version | Deps | Published |
|---|---|---|
| 2.3.10 | 0 / 29 | |
| 2.3.9 | 0 / 29 | |
| 2.3.8 | 0 / 29 | |
| 2.3.7 | 0 / 29 | |
| 2.3.6 | 0 / 29 | |
| 2.3.5 | 0 / 29 | |
| 2.3.4 | 0 / 29 | |
| 2.3.3 | 0 / 27 | |
| 2.3.2 | 0 / 27 | |
| 2.3.0 | 0 / 27 | |
| 2.2.1 | 0 / 29 | |
| 2.2.0 | 0 / 28 | |
| 2.1.1 | 0 / 28 | |
| 2.1.0 | 0 / 28 | |
| 2.0.0 | 0 / 23 |
v2.3.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.5
2 findingsThis version was published by a different npm account than previous versions on 2020-03-13. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.1
4 findingsAll previous maintainers (ded, rvagg) were replaced by new maintainers (timmywil, gibson042, dmethvin). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2014-12-15. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
2 findingsThis version was published by a different npm account than previous versions on 2014-12-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
3 findingsThis version was published by a different npm account than previous versions on 2014-07-01. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.