tsx — Greenflagged

TypeScript Execute (tsx): Node.js enhanced with esbuild to run TypeScript & ESM files

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

hirokiosame

Keywords

cliruntimenodecjscommonjsesmtypescripttypescript runner

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/register-CHVGxKtC.cjs	AI (source-diff): Standard esbuild-minified bundle output; stable pattern for this package.	ai	2026/05/24
source-diff	obfuscated-file:dist/register-D_B8UL5H.mjs	AI (source-diff): Standard esbuild-minified bundle output; stable pattern for this package.	ai	2026/05/24
source-diff	obfuscated-file:dist/register-BnTWPeIB.mjs	AI (source-diff): Standard esbuild-minified bundle output; stable pattern for this package.	ai	2026/05/20
source-diff	obfuscated-file:dist/index-XurvG3JN.mjs	AI (source-diff): Standard esbuild-minified bundle output; stable pattern for this package.	ai	2026/05/20
source-diff	obfuscated-file:dist/register-DS7J8l_a.cjs	AI (source-diff): Standard esbuild-minified bundle output; stable pattern for this package.	ai	2026/05/20
source-diff	obfuscated-file:dist/index-D9F1FXzN.cjs	AI (source-diff): Standard esbuild-minified bundle output; stable pattern for this package.	ai	2026/05/20
source-diff	obfuscated-file:dist/register-BOkp8V6j.cjs	AI (source-diff): Standard esbuild-minified bundle output; stable pattern for this package.	ai	2026/05/20
source-diff	obfuscated-file:dist/register-Ddio2Vih.mjs	AI (source-diff): Standard esbuild-minified bundle output; stable pattern for this package.	ai	2026/05/20
source-diff	obfuscated-file:dist/register-oEokg99B.cjs	AI (source-diff): Standard esbuild-bundled output for this package; stable false positive.	ai	2026/05/18
source-diff	obfuscated-file:dist/register-HCiphi1e.mjs	AI (source-diff): Standard esbuild-bundled output for this package; stable false positive.	ai	2026/05/18
source-diff	obfuscated-file:dist/register-BmBLtb39.mjs	AI (source-diff): Standard esbuild-bundled output for this package; stable false positive.	ai	2026/05/18
source-diff	obfuscated-file:dist/register-B4MtRGQg.cjs	AI (source-diff): Standard esbuild-bundled output for this package; stable false positive.	ai	2026/05/18
source-diff	obfuscated-file:dist/index-CDeh32pY.mjs	AI (source-diff): Standard esbuild-bundled output for tsx; minified but readable, no obfuscation.	ai	2026/05/14
source-diff	obfuscated-file:dist/index-C8LOAU3M.cjs	AI (source-diff): Standard esbuild-bundled output for tsx; minified but readable, no obfuscation.	ai	2026/05/14
source-diff	obfuscated-file:dist/register-BwcD2ly9.cjs	AI (source-diff): Standard esbuild-bundled output for tsx; minified but readable, no obfuscation.	ai	2026/05/14
source-diff	obfuscated-file:dist/register-DJgoUG_Q.cjs	AI (source-diff): Standard esbuild-bundled output for tsx; minified but readable, no obfuscation.	ai	2026/05/14
source-diff	obfuscated-file:dist/register-BQpI82el.mjs	AI (source-diff): Standard esbuild-bundled output for tsx; minified but readable, no obfuscation.	ai	2026/05/14
source-diff	obfuscated-file:dist/register-lJYvHe5s.mjs	AI (source-diff): Standard esbuild-bundled output for tsx; minified but readable, no obfuscation.	ai	2026/05/14
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions CI/CD publishing with SLSA provenance; stable for this package.	ai	2026/05/14
publish-pattern	dormant-publish	AI (publish-pattern): Established package with provenance; dormancy is normal release cadence variation.	ai	2026/05/14
source-diff	obfuscated-file:dist/register-CoxCwfHn.cjs	AI (source-diff): Minified bundle output; stable pattern for tsx.	ai	2026/04/27
source-diff	obfuscated-file:dist/register-D46fvsV_.cjs	AI (source-diff): Standard minified bundle output; stable pattern for tsx.	ai	2026/04/27
source-diff	obfuscated-file:dist/index-7AaEi15b.mjs	AI (source-diff): ESM counterpart of the same minified bundle.	ai	2026/04/27
source-diff	obfuscated-file:dist/index-gckBtVBf.cjs	AI (source-diff): Minified esbuild/rollup bundle; standard for this build-tool package.	ai	2026/04/27
source-diff	obfuscated-file:dist/register-BXA4IaYH.cjs	AI (source-diff): Minified CJS register hook; standard build output.	ai	2026/04/27
source-diff	obfuscated-file:dist/lexer-DQCqS3nf.mjs	AI (source-diff): ESM counterpart of lexer CJS bundle; same pattern.	ai	2026/04/27
source-diff	obfuscated-file:dist/index-DGv_vkxZ.mjs	AI (source-diff): ESM counterpart of index CJS bundle; same pattern.	ai	2026/04/27
source-diff	obfuscated-file:dist/register-D2KMMyKp.cjs	AI (source-diff): Bundled CJS register hook; readable minified code.	ai	2026/04/27
source-diff	obfuscated-file:dist/index-CylV0-__.cjs	AI (source-diff): Bundled esbuild output with readable identifiers; standard for this package.	ai	2026/04/27
source-diff	large-new-source-files	AI (source-diff): Restructured dist output with hash-based filenames; stable pattern for tsx.	ai	2026/04/27
source-diff	obfuscated-file:dist/register-CuoYSLaL.mjs	AI (source-diff): ESM counterpart of register CJS bundle; same pattern.	ai	2026/04/27
source-diff	obfuscated-file:dist/lexer-DgIbo0BU.cjs	AI (source-diff): Bundled es-module-lexer WASM loader; standard minified output.	ai	2026/04/27
provenance	no-provenance	AI (provenance): tsx is a legitimate, established package; lack of provenance attestation is common and not a risk signal here.	ai	2026/04/22
typosquat	typosquat.levenshtein:qs	AI (typosquat): tsx is a well-known TypeScript runner with its own identity; the Levenshtein match to 'qs' is a false positive — these packages serve entirely different purposes.	ai	2026/04/22

Versions (showing 15 of 15)

Version	Deps	Published
4.22.3	1 / 0	2026-05-19
4.22.2	1 / 0	2026-05-18
4.22.1	1 / 0	2026-05-17
4.22.0	1 / 0	2026-05-14
4.21.1	1 / 0	2026-05-14
4.21.0	2 / 0	2025-11-30
4.20.6	2 / 0	2025-09-26
4.20.5	2 / 0	2025-08-24
4.20.4	2 / 0	2025-08-12
4.20.3	2 / 0	2025-06-13
4.20.2	2 / 0	2025-06-12
4.20.1	2 / 0	2025-06-11
4.20.0	2 / 0	2025-06-11
4.19.4	2 / 0	2025-04-29
4.11.2	2 / 0	2024-06-03

v4.22.3

7 findings

HIGH New obfuscated file: dist/index-D9F1FXzN.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/register-BOkp8V6j.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/register-CHVGxKtC.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index-XurvG3JN.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/register-BnTWPeIB.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/register-D_B8UL5H.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.22.2

7 findings

HIGH New obfuscated file: dist/index-D9F1FXzN.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/register-BOkp8V6j.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/register-DS7J8l_a.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index-XurvG3JN.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/register-BnTWPeIB.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/register-Ddio2Vih.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.22.1

5 findings

HIGH New obfuscated file: dist/register-B4MtRGQg.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/register-oEokg99B.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/register-BmBLtb39.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/register-HCiphi1e.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.22.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.21.1

8 findings

HIGH Publisher changed: hirokiosame → GitHub Actions (on 2026-05-14) provenance

This version was published by a different npm account than previous versions on 2026-05-14. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/index-C8LOAU3M.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/register-BwcD2ly9.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/register-DJgoUG_Q.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index-CDeh32pY.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/register-BQpI82el.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/register-lJYvHe5s.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.20.6

6 findings

HIGH New obfuscated file: dist/index-gckBtVBf.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/lexer-DgIbo0BU.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/register-D46fvsV_.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index-7AaEi15b.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/lexer-DQCqS3nf.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.20.3