tsd
Check TypeScript type definitions
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:new-function-constructor | AI (semgrep): Usage is a classic micro-templating pattern compiling HTML templates — a well-known benign use of new Function(). Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:colors | AI (phantom-deps): colors is a legitimate declared dependency for terminal output; phantom detection is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:diff | AI (phantom-deps): diff is a legitimate declared dependency used in build artifacts or indirectly; not a security concern for this package. | ai | |
| source-diff | obfuscated-file:libraries/typescript/lib/tsserverlibrary.js | AI (source-diff): Vendored TypeScript compiler distribution file from Microsoft; standard compiled output, not obfuscation. | ai | |
| source-diff | obfuscated-file:libraries/typescript/lib/typescript.js | AI (source-diff): Vendored TypeScript compiler distribution file from Microsoft; standard compiled output, not obfuscation. | ai | |
| source-diff | obfuscated-file:libraries/typescript/lib/typescriptServices.js | AI (source-diff): Vendored TypeScript compiler distribution file from Microsoft; standard compiled output, not obfuscation. | ai | |
| source-diff | obfuscated-file:libraries/typescript/lib/typingsInstaller.js | AI (source-diff): Vendored TypeScript compiler distribution file from Microsoft; standard compiled output, not obfuscation. | ai | |
| source-diff | net-exec-file:libraries/typescript/lib/lib.es5.d.ts | AI (source-diff): TypeScript .d.ts declaration file declaring eval() and other ES5 builtins; no executable code. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 64 new files are vendored TypeScript compiler/lib files replacing the typescript runtime dependency. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase from vendoring TypeScript compiler instead of listing it as a runtime dependency. | ai | |
| source-diff | obfuscated-file:libraries/typescript/lib/tsc.js | AI (source-diff): Vendored TypeScript compiler distribution file from Microsoft; standard compiled output, not obfuscation. | ai | |
| source-diff | obfuscated-file:libraries/typescript/lib/tsserver.js | AI (source-diff): Vendored TypeScript compiler distribution file from Microsoft; standard compiled output, not obfuscation. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): chalk is a canonical, widely-trusted terminal styling package; its addition to a CLI tool is entirely benign and expected. | ai | |
| npm-metadata | url-dep:update-notifier | AI (npm-metadata): URL dep points to the same author's (Bartvds) own fork of update-notifier for a specific fix. Consistent with maintainer patching a dependency; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:request | AI (dependencies): request is a historically ubiquitous HTTP library; using 'latest' is poor practice but not a security risk for this well-known package. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() is used as a WSH-compatible JSON parser fallback (non-WSH path uses JSON.parse). Legacy pattern in a well-established package; not a supply-chain risk. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate project takeover by samverschueren (well-known maintainer, 135 approved packages). tsd was rewritten from a TS definition manager to a type checker. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): samverschueren is the new canonical maintainer of tsd after the rewrite; established npm publisher with strong track record. | ai | |
| provenance | no-provenance | AI (provenance): Published in 2019, before Sigstore provenance was available on npm. | ai | |
| license | uncommon-license:Apache 2.0 | AI (license): Apache 2.0 is a standard permissive license; the flag is due to non-standard string formatting, not an actual licensing concern. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): tsd is a well-established TypeScript Definition manager with no relation to qs; short name similarity is a mechanical false positive. | ai | |
| typosquat | typosquat.levenshtein:zod | AI (typosquat): tsd predates zod by years and is a completely different tool; Levenshtein match on short names is a false positive. | ai |
Versions (showing 51 of 57)
| Version | Deps | Published |
|---|---|---|
| 0.33.0 | 7 / 16 | |
| 0.32.0 | 7 / 16 | |
| 0.31.2 | 7 / 16 | |
| 0.31.1 | 7 / 16 | |
| 0.31.0 | 7 / 16 | |
| 0.30.7 | 7 / 16 | |
| 0.30.6 | 7 / 16 | |
| 0.30.5 | 7 / 16 | |
| 0.30.4 | 7 / 16 | |
| 0.30.3 | 7 / 16 | |
| 0.30.2 | 7 / 16 | |
| 0.30.1 | 7 / 16 | |
| 0.30.0 | 7 / 16 | |
| 0.29.0 | 7 / 16 | |
| 0.28.1 | 7 / 16 | |
| 0.28.0 | 7 / 16 | |
| 0.27.0 | 6 / 15 | |
| 0.26.1 | 6 / 15 | |
| 0.26.0 | 6 / 15 | |
| 0.25.0 | 6 / 15 | |
| 0.24.1 | 6 / 15 | |
| 0.24.0 | 6 / 15 | |
| 0.23.0 | 6 / 15 | |
| 0.22.0 | 6 / 15 | |
| 0.21.0 | 6 / 15 | |
| 0.20.0 | 6 / 15 | |
| 0.19.1 | 6 / 15 | |
| 0.19.0 | 6 / 15 | |
| 0.18.0 | 6 / 15 | |
| 0.17.0 | 6 / 12 | |
| 0.16.0 | 7 / 13 | |
| 0.15.1 | 6 / 13 | |
| 0.15.0 | 6 / 13 | |
| 0.14.0 | 6 / 13 | |
| 0.13.1 | 6 / 13 | |
| 0.13.0 | 6 / 13 | |
| 0.12.1 | 6 / 13 | |
| 0.12.0 | 6 / 12 | |
| 0.11.0 | 6 / 12 | |
| 0.10.0 | 7 / 11 | |
| 0.9.0 | 6 / 11 | |
| 0.8.0 | 7 / 9 | |
| 0.7.4 | 7 / 7 | |
| 0.7.3 | 7 / 7 | |
| 0.7.2 | 7 / 7 | |
| 0.7.1 | 7 / 7 | |
| 0.7.0 | 7 / 7 | |
| 0.6.4 | 34 / 29 | |
| 0.6.3 | 33 / 29 | |
| 0.6.0 | 31 / 28 | |
| 0.5.6 | 26 / 28 |
v0.33.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.32.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.29.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.25.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.23.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.20.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.18.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-10-12. This could indicate a legitimate maintainer transition or an account compromise.
v0.17.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-06-03. This could indicate a legitimate maintainer transition or an account compromise.
v0.16.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-05-28. This could indicate a legitimate maintainer transition or an account compromise.
v0.15.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-07-06. This could indicate a legitimate maintainer transition or an account compromise.
v0.7.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-05-12. This could indicate a legitimate maintainer transition or an account compromise.
v0.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
2 findingsThis version was published by a different npm account than previous versions on 2019-03-20. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2015-08-29. This could indicate a legitimate maintainer transition or an account compromise.
v0.6.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2015-06-20. This could indicate a legitimate maintainer transition or an account compromise.
v0.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.