← Home

twing

npm Repository Homepage

First-class Twig engine for the JavaScript ecosystem

100
Versions
BSD-2-Clause
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ericmorand

Keywords

browsercompilertemplatetwigtwig-enginetypescript

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:utf8-binary-cutter AI (phantom-deps): utf8-binary-cutter is a legitimate declared runtime dependency; phantom flag reflects indirect/conditional usage, not a malicious binary. ai
source-diff large-new-source-files AI (source-diff): Twing is a large template engine; v6.0.0 is a major rewrite with restructured dist output. Large file counts are expected for this package's scope and release pattern. ai
dependencies unvetted-dep:locutus AI (dependencies): locutus is a well-known PHP-to-JS port library and a long-standing dependency of twing; not a security concern for this package. ai
provenance no-provenance AI (provenance): Twing is a mature, established package with 3122 days of history; lack of Sigstore provenance is a process gap, not a security risk. ai

Versions (showing 100 of 100)

Version Deps Published
7.2.0 0 / 0
7.1.3 16 / 0
7.0.0 17 / 0
6.0.0 17 / 0
5.2.2 20 / 28
5.2.1 20 / 28
5.2.0 20 / 28
5.1.6 20 / 28
5.1.5 20 / 28
5.1.4 20 / 27
5.1.3 20 / 27
5.1.2 25 / 25
5.1.1 25 / 25
5.1.0 25 / 25
5.0.2 25 / 25
5.0.1 25 / 25
5.0.0 25 / 25
4.0.6 25 / 25
4.0.5 25 / 25
4.0.4 25 / 25
4.0.3 25 / 25
4.0.2 25 / 25
4.0.1 25 / 25
4.0.0 25 / 25
3.1.1 26 / 24
3.1.0 26 / 24
3.0.3 26 / 24
3.0.2 26 / 24
3.0.1 26 / 19
3.0.0 26 / 19
2.3.7 26 / 18
2.3.6 26 / 18
2.3.5 26 / 19
2.3.4 25 / 19
2.3.3 25 / 19
2.3.2 25 / 19
2.3.1 25 / 19
2.3.0 25 / 19
2.2.7 25 / 19
2.2.6 25 / 19
2.2.5 25 / 19
2.2.4 25 / 19
2.2.3 25 / 19
2.2.2 25 / 19
2.2.1 25 / 19
2.2.0 24 / 19
2.1.4 24 / 19
2.1.3 24 / 19
2.1.2 24 / 19
2.1.1 24 / 19
2.1.0 24 / 19
2.0.0 25 / 20
1.3.1 29 / 17
1.3.0 29 / 17
1.2.7 29 / 17
1.2.6 29 / 17
1.2.5 29 / 17
1.2.4 29 / 17
1.2.3 29 / 17
1.2.2 29 / 17
1.2.1 29 / 17
1.2.0 29 / 17
1.1.1 28 / 17
1.1.0 28 / 17
1.0.3 28 / 17
1.0.2 28 / 17
1.0.1 28 / 17
1.0.0 28 / 17
0.12.0 28 / 17
0.11.1 28 / 17
0.11.0 28 / 17
0.10.3 29 / 17
0.10.2 28 / 18
0.10.1 27 / 18
0.10.0 27 / 18
0.9.1 25 / 18
0.9.0 25 / 18
0.8.1 26 / 16
0.8.0 27 / 16
0.7.0 27 / 24
0.6.1 27 / 24
0.6.0 27 / 24
0.5.3 27 / 24
0.5.2 27 / 24
0.5.1 27 / 24
0.5.0 27 / 24
0.4.6 27 / 24
0.4.5 26 / 23
0.4.4 26 / 23
0.4.3 26 / 23
0.4.2 26 / 23
0.4.1 26 / 23
0.4.0 26 / 23
0.3.1 26 / 23
0.3.0 26 / 23
0.2.0 23 / 20
0.1.3 4 / 7
0.1.2 4 / 7
0.1.1 4 / 7
0.1.0 4 / 7

v7.2.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.1.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.0.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.0.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.