tsup
Bundle your TypeScript library with no config, powered by esbuild
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): tsup has SLSA provenance attestation via Sigstore CI/CD, which provides stronger supply chain integrity than gitHead. Missing gitHead is a false positive concern for this package. | ai | |
| provenance | publisher-changed | AI (provenance): tsup transitioned to GitHub Actions CI publishing with SLSA provenance attestation. This is a legitimate supply chain improvement; repo and author metadata still point to egoist/tsup. | ai | |
| phantom-deps | phantom-dep:postcss-load-config | AI (phantom-deps): postcss-load-config is a legitimate runtime dependency in package.json used for PostCSS config loading; may be loaded dynamically rather than via static import. | ai |
Versions (showing 100 of 204)
| Version | Deps | Published |
|---|---|---|
| 8.5.1 | 17 / 23 | |
| 8.5.0 | 17 / 23 | |
| 8.4.0 | 16 / 23 | |
| 8.3.6 | 16 / 23 | |
| 8.3.5 | 16 / 23 | |
| 8.3.4 | 16 / 23 | |
| 8.3.0 | 16 / 24 | |
| 8.2.4 | 16 / 24 | |
| 8.2.3 | 16 / 24 | |
| 8.2.2 | 16 / 24 | |
| 8.2.1 | 17 / 25 | |
| 8.2.0 | 15 / 25 | |
| 8.1.2 | 15 / 25 | |
| 8.1.1 | 15 / 25 | |
| 8.1.0 | 14 / 28 | |
| 8.0.2 | 14 / 28 | |
| 8.0.1 | 14 / 28 | |
| 8.0.0 | 14 / 28 | |
| 7.3.0 | 14 / 27 | |
| 7.2.0 | 14 / 28 | |
| 7.1.0 | 14 / 28 | |
| 7.0.0 | 14 / 28 | |
| 6.7.0 | 14 / 26 | |
| 6.6.3 | 14 / 26 | |
| 6.6.2 | 14 / 26 | |
| 6.6.1 | 14 / 26 | |
| 6.6.0 | 14 / 26 | |
| 6.5.0 | 14 / 25 | |
| 6.4.0 | 14 / 25 | |
| 6.3.0 | 14 / 25 | |
| 6.2.3 | 14 / 25 | |
| 6.2.2 | 14 / 25 | |
| 6.2.1 | 14 / 25 | |
| 6.2.0 | 14 / 25 | |
| 6.1.3 | 14 / 25 | |
| 6.1.2 | 14 / 25 | |
| 6.1.1 | 14 / 25 | |
| 6.1.0 | 14 / 26 | |
| 6.0.1 | 14 / 26 | |
| 6.0.0 | 14 / 26 | |
| 5.12.9 | 14 / 26 | |
| 5.12.8 | 14 / 26 | |
| 5.12.7 | 14 / 26 | |
| 5.12.6 | 14 / 26 | |
| 5.12.5 | 14 / 26 | |
| 5.12.4 | 14 / 26 | |
| 5.12.3 | 14 / 26 | |
| 5.12.2 | 14 / 26 | |
| 5.12.1 | 14 / 26 | |
| 5.12.0 | 14 / 26 | |
| 5.11.13 | 14 / 26 | |
| 5.11.12 | 14 / 26 | |
| 5.11.11 | 14 / 25 | |
| 5.11.10 | 14 / 25 | |
| 5.11.9 | 14 / 25 | |
| 5.11.8 | 14 / 25 | |
| 5.11.7 | 14 / 25 | |
| 5.11.6 | 14 / 25 | |
| 5.11.5 | 14 / 25 | |
| 5.11.4 | 14 / 25 | |
| 5.11.3 | 14 / 25 | |
| 5.11.2 | 14 / 25 | |
| 5.11.1 | 14 / 25 | |
| 5.11.0 | 14 / 25 | |
| 5.10.3 | 13 / 29 | |
| 5.10.2 | 13 / 29 | |
| 5.10.1 | 13 / 28 | |
| 5.10.0 | 13 / 32 | |
| 5.9.2 | 13 / 31 | |
| 5.9.1 | 13 / 31 | |
| 5.9.0 | 13 / 31 | |
| 5.8.1 | 13 / 31 | |
| 5.8.0 | 13 / 30 | |
| 5.7.4 | 13 / 29 | |
| 5.7.3 | 13 / 29 | |
| 5.7.2 | 13 / 28 | |
| 5.7.1 | 13 / 28 | |
| 5.7.0 | 13 / 28 | |
| 5.6.3 | 13 / 28 | |
| 5.6.2 | 13 / 28 | |
| 5.6.1 | 13 / 29 | |
| 5.6.0 | 13 / 28 | |
| 5.5.0 | 13 / 28 | |
| 5.4.4 | 13 / 28 | |
| 5.4.3 | 13 / 28 | |
| 5.4.2 | 13 / 28 | |
| 5.4.1 | 13 / 26 | |
| 5.4.0 | 13 / 26 | |
| 5.3.0 | 13 / 26 | |
| 5.2.1 | 13 / 26 | |
| 5.2.0 | 13 / 26 | |
| 5.1.0 | 13 / 26 | |
| 5.0.0 | 12 / 27 | |
| 4.14.0 | 13 / 26 | |
| 4.13.1 | 13 / 26 | |
| 4.13.0 | 13 / 26 | |
| 4.12.5 | 13 / 26 | |
| 4.12.4 | 13 / 26 | |
| 4.12.3 | 13 / 26 | |
| 4.12.2 | 13 / 26 |
v8.5.1
2 findingsThis version was published by a different npm account than previous versions on 2025-11-12. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.5.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: egoist.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.4.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: egoist.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.3.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: egoist.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.3.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: egoist.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.3.4
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: egoist.
A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.3.0
2 findingsA DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.2.4
2 findingsA DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.2.3
2 findingsA DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.2.2
2 findingsA DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.2.1
2 findingsA DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.2.0
2 findingsA DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.1.2
2 findingsA DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.1.1
2 findingsA DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.1.0
2 findingsA DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.0.2
2 findingsA DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.0.1
2 findingsA DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.0.0
2 findingsA DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.3.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
v7.2.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
v7.1.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
v7.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components