source-map
Generates and consumes source maps
51
Versions
BSD-3-Clause
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
mozilla-npmmythmonjkratzerfactorui.npmproject-nimbus-publishinggijsbrizentalaplacitellimozrhelmerknowtheorynbaumgardnertigleymeemelimlifshinllisi-mozjdarcangelo-mozillanchevobbemozilla-devtoolsnickfitzgeraldloganfsmythejpbrueltromey
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:bench/scalajs-runtime-sourcemap.js | AI (source-diff): Benchmark fixture containing a standard source map (base64-VLQ mappings). Not executable code; expected test data for a source-map library. | ai | |
| license | uncommon-license:GPL | AI (license): GPL is part of the standard tri-license used by Mozilla projects; expected and legitimate for this package. | ai | |
| license | uncommon-license:LGPL | AI (license): LGPL is part of the standard tri-license used by Mozilla projects; expected and legitimate for this package. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): source-map 0.0.0 is the original 2011 release of the canonical Mozilla source-map library, not a throwaway package. Version 0.0.0 reflects early npm conventions, not malicious intent. | ai | |
| license | uncommon-license:MPL | AI (license): MPL is the standard Mozilla Public License used across all Mozilla open-source projects; expected and legitimate for this package. | ai | |
| source-diff | obfuscated-file:dist/source-map.js | AI (source-diff): dist/source-map.js is a webpack bundle built from source (confirmed by build script in package.json). Standard for browser-compatible distribution of source-map. | ai | |
| dependencies | unvetted-dep:requirejs | AI (dependencies): requirejs is a well-known AMD module loader; its use as a pinned dependency in this early-era Mozilla package is legitimate and expected. | ai | |
| license | uncommon-license:BSD | AI (license): Package explicitly references BSD-3-Clause; the 'BSD' short-form label is a known false positive for this well-established Mozilla package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of 'mozilla' account while adding multiple Mozilla-affiliated individual accounts is consistent with org restructuring. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate maintainer transition within Mozilla org; new publisher eemeli is established, repo URL unchanged, multiple Mozilla-affiliated maintainers added. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are Mozilla-affiliated accounts; reflects org-level npm account management, not a takeover. | ai | |
| source-diff | obfuscated-file:dist/source-map.debug.js | AI (source-diff): Webpack bundle output for browser distribution; standard build artifact, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/test_base64.js | AI (source-diff): Webpack-bundled test file for browser testing; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/test/test_base64_vlq.js | AI (source-diff): Webpack-bundled test file for browser testing; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/test/test_binary_search.js | AI (source-diff): Webpack-bundled test file for browser testing; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/test/test_array_set.js | AI (source-diff): Webpack-bundled test file for browser testing; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/test/test_quick_sort.js | AI (source-diff): Webpack-bundled test file for browser testing; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/test/test_source_map_consumer.js | AI (source-diff): Webpack-bundled test file for browser testing; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/test/test_source_map_generator.js | AI (source-diff): Webpack-bundled test file for browser testing; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/test/test_source_node.js | AI (source-diff): Webpack-bundled test file for browser testing; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/test/test_util.js | AI (source-diff): Webpack-bundled test file for browser testing; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/test/test_dog_fooding.js | AI (source-diff): Webpack-bundled test file for browser testing; standard build artifact. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New dist/ folder with webpack bundles for browser support; expected for this package. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase from adding dist/ webpack bundles; expected build artifacts for browser distribution. | ai | |
| source-diff | obfuscated-file:dist/test/test_api.js | AI (source-diff): Webpack-bundled test file for browser testing; standard build artifact. | ai | |
| provenance | no-provenance | AI (provenance): source-map is a 5000+ day old Mozilla package with 280M weekly downloads; lack of Sigstore provenance is expected for packages of this era and does not indicate risk. | ai | |
| dependencies | unvetted-dep:amdefine | AI (dependencies): amdefine is a well-known AMD/CommonJS compatibility shim and has been a stable, legitimate dependency of source-map for many years. | ai |
Versions (showing 51 of 69)
| Version | Deps | Published |
|---|---|---|
| 0.7.6 | 0 / 5 | |
| 0.7.5 | 0 / 5 | |
| 0.7.4 | 0 / 8 | |
| 0.7.3 | 0 / 7 | |
| 0.7.2 | 0 / 2 | |
| 0.7.1 | 0 / 2 | |
| 0.7.0 | 0 / 2 | |
| 0.6.1 | 0 / 2 | |
| 0.6.0 | 0 / 2 | |
| 0.5.7 | 0 / 2 | |
| 0.5.6 | 0 / 2 | |
| 0.5.5 | 0 / 2 | |
| 0.5.4 | 0 / 2 | |
| 0.5.3 | 0 / 2 | |
| 0.5.2 | 0 / 2 | |
| 0.5.1 | 0 / 2 | |
| 0.5.0 | 0 / 2 | |
| 0.4.4 | 1 / 1 | |
| 0.4.3 | 1 / 1 | |
| 0.4.2 | 1 / 1 | |
| 0.4.1 | 1 / 1 | |
| 0.4.0 | 1 / 1 | |
| 0.3.0 | 1 / 1 | |
| 0.2.0 | 1 / 1 | |
| 0.1.43 | 1 / 1 | |
| 0.1.42 | 1 / 1 | |
| 0.1.41 | 1 / 1 | |
| 0.1.40 | 1 / 1 | |
| 0.1.39 | 1 / 1 | |
| 0.1.38 | 1 / 1 | |
| 0.1.37 | 1 / 1 | |
| 0.1.36 | 1 / 1 | |
| 0.1.35 | 1 / 1 | |
| 0.1.34 | 1 / 1 | |
| 0.1.33 | 1 / 1 | |
| 0.1.32 | 1 / 1 | |
| 0.1.31 | 1 / 1 | |
| 0.1.30 | 1 / 1 | |
| 0.1.29 | 1 / 1 | |
| 0.1.28 | 1 / 1 | |
| 0.1.27 | 1 / 1 | |
| 0.1.26 | 1 / 1 | |
| 0.1.25 | 1 / 1 | |
| 0.1.24 | 1 / 1 | |
| 0.1.23 | 1 / 1 | |
| 0.1.22 | 1 / 1 | |
| 0.1.21 | 1 / 1 | |
| 0.1.20 | 1 / 1 | |
| 0.1.19 | 1 / 1 | |
| 0.1.18 | 1 / 1 | |
| 0.1.17 | 1 / 1 |