← Home

tsup

npm Repository Homepage

Bundle your TypeScript library with no config, powered by esbuild

4
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

egoistsxzz

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance missing-githead AI (provenance): tsup has SLSA provenance attestation via Sigstore CI/CD, which provides stronger supply chain integrity than gitHead. Missing gitHead is a false positive concern for this package. ai
provenance publisher-changed AI (provenance): tsup transitioned to GitHub Actions CI publishing with SLSA provenance attestation. This is a legitimate supply chain improvement; repo and author metadata still point to egoist/tsup. ai
phantom-deps phantom-dep:postcss-load-config AI (phantom-deps): postcss-load-config is a legitimate runtime dependency in package.json used for PostCSS config loading; may be loaded dynamically rather than via static import. ai

Versions (showing 4 of 204)

Version Deps Published
1.3.0 3 / 18
1.2.0 2 / 16
1.1.0 2 / 8
1.0.0 2 / 8