tsdown — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

sxzz

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-peer-dep:unplugin-unused	AI (dependencies): Optional peer dep; unvetted status does not block established packages.	ai	2026/05/18
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions publisher is backed by SLSA Sigstore attestation from the official rolldown/tsdown repo.	ai	2026/04/27
phantom-deps	phantom-dep:lightningcss	AI (phantom-deps): lightningcss is a declared runtime dep used via unplugin-lightningcss; phantom-dep heuristic fires but it's a stable false positive for this package.	ai	2026/04/27
publish-pattern	new-deps-added	AI (publish-pattern): import-without-cache and obug are small, legitimate utilities consistent with a watch-mode refactor (replacing chokidar/diff). No malicious indicators.	ai	2026/04/26
publish-pattern	dormant-publish	AI (publish-pattern): SLSA provenance attestation via Sigstore confirms legitimate CI/CD publish, substantially mitigating account-takeover risk from dormancy.	ai	2026/04/26
dependencies	unvetted-dep:obug	AI (dependencies): obug is a utility from the same sxzz/rolldown ecosystem; consistent with tsdown's purpose and maintainer.	ai	2026/04/25
dependencies	unvetted-dep:import-without-cache	AI (dependencies): import-without-cache is a utility from the same sxzz ecosystem; consistent with tsdown's config loading needs.	ai	2026/04/25
dependencies	unvetted-dep:unrun	AI (dependencies): unrun is a utility from the same sxzz/rolldown ecosystem; consistent with tsdown's purpose and maintainer.	ai	2026/04/25
dependencies	unvetted-dep:empathic	AI (dependencies): empathic is a path resolution utility from the same ecosystem; consistent with tsdown's bundler use case.	ai	2026/04/25
dependencies	unvetted-dep:unconfig-core	AI (dependencies): unconfig-core is a config loading utility from the same ecosystem; consistent with tsdown's bundler use case.	ai	2026/04/25
dependencies	unvetted-dep:rolldown-plugin-dts	AI (dependencies): rolldown-plugin-dts is a core plugin for the rolldown bundler ecosystem that tsdown is built on.	ai	2026/04/25

Versions (showing 51 of 88)

View all versions

Version	Deps	Published
0.22.1	15 / 42	2026-05-28
0.22.0	15 / 41	2026-05-07
0.21.10	16 / 39	2026-04-22
0.21.9	16 / 39	2026-04-16
0.21.8	16 / 39	2026-04-13
0.21.7	16 / 38	2026-03-28
0.21.6	16 / 38	2026-03-27
0.21.5	16 / 38	2026-03-25
0.21.4	16 / 39	2026-03-16
0.21.3	16 / 39	2026-03-15
0.21.2	16 / 39	2026-03-11
0.21.1	16 / 39	2026-03-09
0.21.0	16 / 35	2026-03-05
0.20.3	16 / 33	2026-02-05
0.20.2	16 / 33	2026-02-04
0.20.1	16 / 31	2026-01-22
0.20.0	16 / 31	2026-01-22
0.19.0	16 / 31	2026-01-10
0.18.4	16 / 30	2025-12-30
0.18.3	16 / 30	2025-12-24
0.18.2	16 / 29	2025-12-21
0.18.1	16 / 29	2025-12-17
0.18.0	15 / 28	2025-12-15
0.17.4	15 / 28	2025-12-14
0.17.3	15 / 26	2025-12-12
0.17.2	14 / 26	2025-12-08
0.17.1	14 / 26	2025-12-08
0.17.0	14 / 26	2025-12-04
0.16.8	15 / 23	2025-11-27
0.16.7	15 / 23	2025-11-25
0.16.6	15 / 22	2025-11-20
0.16.5	15 / 22	2025-11-17
0.16.4	15 / 22	2025-11-12
0.16.3	15 / 22	2025-11-11
0.16.2	15 / 23	2025-11-11
0.16.1	15 / 23	2025-11-07
0.16.0	14 / 24	2025-11-04
0.15.12	14 / 23	2025-10-29
0.15.11	15 / 22	2025-10-28
0.15.10	15 / 22	2025-10-26
0.15.9	14 / 23	2025-10-20
0.15.8	14 / 23	2025-10-18
0.15.7	14 / 23	2025-10-13
0.15.6	14 / 23	2025-09-30
0.15.5	14 / 23	2025-09-27
0.15.4	14 / 22	2025-09-20
0.15.3	14 / 22	2025-09-20
0.15.2	14 / 22	2025-09-16
0.15.1	14 / 22	2025-09-12
0.15.0	14 / 22	2025-09-09
0.14.2	14 / 22	2025-08-25