soupselect
2
Versions
—
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:deps/htmlparser/json2.js | AI (source-diff): This is the canonical public-domain json2.js from json.org. The 'network' signal is a URL in a comment; the eval is the well-known safe JSON parsing fallback. Not malicious. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in json2.js is the documented Crockford safe-eval JSON parsing pattern with regex validation. Stable false positive for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in runtests.js loads test modules by filename — standard test runner pattern, no external/arbitrary input. | ai | |
| provenance | no-provenance | AI (provenance): Package is ~15 years old; no provenance attestation is expected and not a meaningful risk signal for this package. | ai |
v0.2.0
2 findings
HIGH
New file with network + code execution: deps/htmlparser/json2.js
source-diff
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.