tslint
An extensible static analysis linter for the TypeScript language
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:lib/tslint-cli.js | AI (source-diff): tslint compiles TypeScript to JS build artifacts; long lines are minified/bundled output, not obfuscation. Code is fully readable and does exactly what a linter CLI should do. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size drop reflects package restructuring (monolithic bundle split into modules), not code replacement. Consistent with the 181 new source files added in this version. | ai | |
| provenance | missing-githead | AI (provenance): Palantir is a highly trusted publisher with 107 approved packages. Missing gitHead reflects a publish environment change, not a supply chain compromise. | ai | |
| source-diff | large-new-source-files | AI (source-diff): TSLint ships compiled JS output alongside TS sources; large file counts are expected for this build-tool package across versions. | ai | |
| source-diff | obfuscated-file:build/tslint-tests2.js | AI (source-diff): This is the bundled TypeScript compiler services file (typescriptServices.js pattern), a well-known legitimate artifact shipped by tslint. Long lines are from concatenation, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:lib/typescriptServices.js | AI (source-diff): typescriptServices.js is Microsoft's canonical TypeScript compiler bundle, legitimately included by tslint for runtime use. The Apache 2.0 Microsoft copyright header confirms authenticity. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process usage is in scripts/tsc-wrapper.js, a dev/build helper for wrapping the TypeScript compiler. This is expected for a linter build tool and not a runtime or install-time risk. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): findup-sync is a legitimate, well-known utility appropriate for a linter locating config files. No malicious indicators. | ai | |
| license | uncommon-license:Apache 2.0 | AI (license): Apache 2.0 is a well-known permissive license; flagged only due to non-standard string format vs SPDX 'Apache-2.0'. No real concern. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance by many years; absence of attestation is expected and not a risk signal for this established package. | ai | |
| phantom-deps | phantom-dep:findup-sync | AI (phantom-deps): findup-sync is a declared runtime dependency used for config file discovery; phantom signal likely reflects TypeScript compilation patterns. | ai | |
| phantom-deps | phantom-dep:underscore.string | AI (phantom-deps): underscore.string is a declared runtime dependency; phantom signal likely reflects indirect usage patterns in compiled TypeScript output. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Palantir added as maintainer is part of the legitimate 2013 organizational transfer of TSLint. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): TSLint was legitimately transferred from individual author (ashwinr) to Palantir in 2013. Repo URL confirms palantir ownership. This is a 12-year-old resolved transition, not a hijack. | ai | |
| phantom-deps | phantom-dep:optimist | AI (phantom-deps): optimist is a legitimate CLI argument parser declared as a runtime dep; likely used in compiled output or bin script, not a phantom dependency in practice. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): ashwinr removal is part of the legitimate 2013 organizational transfer of TSLint to Palantir. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from ashwinr to palantir is a documented, legitimate organizational transfer in 2013. Repo URL and publisher track record confirm authenticity. | ai | |
| source-diff | net-exec-file:lib/rules/code-examples/functionConstructor.examples.js | AI (source-diff): File contains tslint rule examples demonstrating the function-constructor rule. The 'new Function()' usage is the example code the rule is designed to detect, not malicious dynamic execution. False positive for this linter package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): tslint's dynamic require() is used to load user config files — core linter functionality, not a security risk. Stable pattern across all versions. | ai | |
| typosquat | typosquat.levenshtein:eslint | AI (typosquat): tslint and eslint are distinct, well-known tools in the JS/TS ecosystem. No impersonation risk; already marked accepted risk. | ai |
Versions (showing 51 of 125)
| Version | Deps | Published |
|---|---|---|
| 6.1.3 | 13 / 28 | |
| 6.1.2 | 13 / 28 | |
| 6.1.1 | 13 / 28 | |
| 6.1.0 | 13 / 28 | |
| 6.0.0 | 13 / 28 | |
| 5.20.1 | 13 / 28 | |
| 5.20.0 | 13 / 28 | |
| 5.19.0 | 13 / 28 | |
| 5.18.0 | 13 / 28 | |
| 5.17.0 | 13 / 28 | |
| 5.16.0 | 13 / 28 | |
| 5.15.0 | 13 / 27 | |
| 5.14.0 | 13 / 27 | |
| 5.13.1 | 13 / 27 | |
| 5.13.0 | 13 / 27 | |
| 5.12.1 | 12 / 26 | |
| 5.12.0 | 12 / 26 | |
| 5.11.0 | 12 / 22 | |
| 5.10.0 | 12 / 22 | |
| 5.9.1 | 12 / 22 | |
| 5.9.0 | 12 / 22 | |
| 5.8.0 | 11 / 25 | |
| 5.7.0 | 10 / 23 | |
| 5.6.0 | 10 / 23 | |
| 5.5.0 | 10 / 23 | |
| 5.4.3 | 10 / 23 | |
| 5.4.2 | 10 / 23 | |
| 5.4.1 | 10 / 23 | |
| 5.4.0 | 9 / 22 | |
| 5.3.2 | 9 / 23 | |
| 5.3.0 | 9 / 23 | |
| 5.2.0 | 10 / 24 | |
| 5.1.0 | 9 / 23 | |
| 5.0.0 | 9 / 22 | |
| 4.5.1 | 9 / 22 | |
| 4.5.0 | 9 / 22 | |
| 4.4.2 | 8 / 20 | |
| 4.4.1 | 8 / 20 | |
| 4.4.0 | 8 / 20 | |
| 4.3.1 | 9 / 21 | |
| 4.3.0 | 9 / 21 | |
| 4.2.0 | 9 / 21 | |
| 4.1.1 | 9 / 21 | |
| 4.1.0 | 9 / 21 | |
| 4.0.2 | 8 / 20 | |
| 4.0.1 | 8 / 20 | |
| 4.0.0 | 8 / 20 | |
| 3.15.1 | 7 / 15 | |
| 3.15.0 | 7 / 15 | |
| 3.14.0 | 7 / 15 | |
| 3.13.0 | 7 / 15 |
v6.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.5.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: palantir.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.5.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: palantir.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: palantir.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: palantir.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: palantir.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: palantir.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: palantir.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: palantir.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: palantir.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: palantir.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: palantir.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: palantir.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.15.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: palantir.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.15.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: palantir.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.14.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: palantir.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.13.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: palantir.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.