standard-format — Greenflagged

attempts to reformat javascript to comply with feross/standard style

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

maxogdenjb55ferossbretflet

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:test/fixtures/jquery.js	AI (source-diff): File is the jQuery library used as a test fixture for a JS formatter. Network/exec patterns are jQuery's legitimate AJAX and eval-based features, not malware.	ai	2026/04/24
source-diff	source-size-tripled	AI (source-diff): Size increase is entirely explained by adding a 248KB jQuery test fixture, a normal practice for JS formatting tools.	ai	2026/04/24
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require at index.js:9 uses a static path.join to load a bundled config JSON — not user-controlled or dangerous.	ai	2026/04/24
phantom-deps	phantom-dep:esformatter-eol-last	AI (phantom-deps): esformatter plugins are loaded via config, not direct require(). This is the expected usage pattern for this package's architecture.	ai	2026/04/24
phantom-deps	phantom-dep:esformatter-semicolon-first	AI (phantom-deps): esformatter plugins are loaded via config, not direct require(). This is the expected usage pattern for this package's architecture.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): The bret→feross transition occurred in 2016; feross is a highly reputable publisher in the standard/JS ecosystem. This is a stable, legitimate maintainer handoff.	ai	2026/04/24
phantom-deps	phantom-dep:esformatter-spaced-lined-comment	AI (phantom-deps): esformatter plugins are loaded via config, not direct require(). This is the expected usage pattern for this package's architecture.	ai	2026/04/24
phantom-deps	phantom-dep:esformatter-remove-trailing-commas	AI (phantom-deps): esformatter plugins are loaded via config, not direct require(). This is the expected usage pattern for this package's architecture.	ai	2026/04/24
phantom-deps	phantom-dep:esformatter-literal-notation	AI (phantom-deps): esformatter plugins are loaded via config, not direct require(). This is the expected usage pattern for this package's architecture.	ai	2026/04/24
phantom-deps	phantom-dep:esformatter-jsx	AI (phantom-deps): esformatter plugins are loaded via config, not direct require(). This is the expected usage pattern for this package's architecture.	ai	2026/04/24
phantom-deps	phantom-dep:esformatter-quotes	AI (phantom-deps): esformatter plugins are loaded via config, not direct require(). This is the expected usage pattern for this package's architecture.	ai	2026/04/24

Versions (showing 39 of 39)

Version	Deps	Published
2.2.4	11 / 9	2016-11-23
2.2.3	11 / 9	2016-08-25
2.2.2	11 / 9	2016-06-24
2.2.1	11 / 9	2016-05-19
2.2.0	11 / 9	2016-05-17
2.1.1	10 / 10	2016-02-23
2.1.0	10 / 10	2015-11-16
2.0.0	10 / 10	2015-11-07
1.6.10	10 / 10	2015-11-07
1.6.9	10 / 10	2015-10-30
1.6.8	10 / 10	2015-10-07
1.6.7	10 / 10	2015-08-27
1.6.6	10 / 9	2015-08-23
1.6.5	10 / 9	2015-08-15
1.6.4	10 / 9	2015-08-12
1.6.3	10 / 9	2015-08-12
1.6.2	10 / 9	2015-08-05
1.6.1	10 / 9	2015-08-04
1.6.0	10 / 9	2015-07-22
1.5.0	9 / 9	2015-07-17
1.4.0	11 / 9	2015-07-07
1.3.10	11 / 9	2015-07-06
1.3.9	11 / 9	2015-06-18
1.3.8	11 / 9	2015-06-18
1.3.7	10 / 9	2015-06-17
1.3.6	10 / 9	2015-04-16
1.3.5	10 / 9	2015-03-29
1.3.4	10 / 9	2015-03-24
1.3.3	10 / 8	2015-03-10
1.3.2	11 / 8	2015-03-10
1.3.1	10 / 8	2015-03-10
1.3.0	10 / 8	2015-03-07
1.2.3	10 / 8	2015-02-23
1.2.2	10 / 8	2015-02-23
1.2.1	10 / 8	2015-02-23
1.2.0	9 / 8	2015-02-18
1.1.1	5 / 8	2015-02-08
1.1.0	5 / 0	2015-02-06
1.0.0	3 / 0	2015-01-28

v2.2.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.3

2 findings

HIGH Publisher changed: bret → feross (on 2016-08-25) provenance

This version was published by a different npm account than previous versions on 2016-08-25. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.2

2 findings

HIGH Publisher changed: feross → bret (on 2016-06-24) provenance

This version was published by a different npm account than previous versions on 2016-06-24. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.1

2 findings

HIGH Publisher changed: bret → feross (on 2016-05-19) provenance

This version was published by a different npm account than previous versions on 2016-05-19. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.0

2 findings

HIGH Publisher changed: bret → feross (on 2016-05-17) provenance

This version was published by a different npm account than previous versions on 2016-05-17. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.1

2 findings

HIGH Publisher changed: bret → feross (on 2016-02-23) provenance

This version was published by a different npm account than previous versions on 2016-02-23. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.0

2 findings

HIGH Publisher changed: bret → feross (on 2015-11-16) provenance

This version was published by a different npm account than previous versions on 2015-11-16. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.10

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.9

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: flet → bret (on 2015-10-30) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2015-10-30. This could indicate a legitimate maintainer transition or an account compromise.

v1.6.8

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: feross → flet (on 2015-10-07) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2015-10-07. This could indicate a legitimate maintainer transition or an account compromise.

v1.6.7

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: bret → feross (on 2015-08-27) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2015-08-27. This could indicate a legitimate maintainer transition or an account compromise.

v1.6.6

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: feross → bret (on 2015-08-23) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2015-08-23. This could indicate a legitimate maintainer transition or an account compromise.

v1.6.5

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: flet → feross (on 2015-08-15) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2015-08-15. This could indicate a legitimate maintainer transition or an account compromise.

v1.6.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.3

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: feross → flet (on 2015-08-12) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2015-08-12. This could indicate a legitimate maintainer transition or an account compromise.

v1.6.2

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: flet → feross (on 2015-08-05) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2015-08-05. This could indicate a legitimate maintainer transition or an account compromise.

v1.6.1

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: feross → flet (on 2015-08-04) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2015-08-04. This could indicate a legitimate maintainer transition or an account compromise.

v1.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.5.0

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: flet → feross (on 2015-07-17) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2015-07-17. This could indicate a legitimate maintainer transition or an account compromise.

v1.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.10

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.8

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: feross → flet (on 2015-06-18) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2015-06-18. This could indicate a legitimate maintainer transition or an account compromise.

v1.3.7

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: jb55 → feross (on 2015-06-17) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2015-06-17. This could indicate a legitimate maintainer transition or an account compromise.

v1.3.6

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: maxogden → jb55 (on 2015-04-16) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2015-04-16. This could indicate a legitimate maintainer transition or an account compromise.

v1.3.5

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: jb55 → maxogden (on 2015-03-29) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2015-03-29. This could indicate a legitimate maintainer transition or an account compromise.

v1.3.4

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jb55.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.3

2 findings

HIGH New file with network + code execution: test/fixtures/jquery.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.1

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: maxogden → jb55 (on 2015-02-08) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2015-02-08. This could indicate a legitimate maintainer transition or an account compromise.

v1.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.