← Home

typescript

npm Repository Homepage

TypeScript is a language for application scale JavaScript development

51
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

microsoft1estypescript-botweswighamandrewbranchtypescript-deploysjakebailey

Keywords

TypeScriptMicrosoftcompilerlanguagejavascript

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:child-process-exec AI (semgrep): child_process.exec() is in Jakefile.js, a build automation file not executed at install or runtime. It runs cscript for spec doc conversion — a standard build task for the TypeScript compiler project. ai
publish-pattern dormant-publish AI (publish-pattern): TypeScript publishes continuously (2767 versions); dormancy signal is an artifact of approved-version gap, not actual inactivity. ai
source-diff obfuscated-file:lib/_tsc.js AI (source-diff): TypeScript ships its compiler as a single bundled JS file; long lines are from esbuild bundling, not obfuscation. Stable for this package. ai
maintainer-change maintainer-takeover AI (maintainer-change): Legitimate transition from single 'typescript' account to individual MS team members + typescript-bot; well-documented change in TypeScript's npm publishing. ai
provenance publisher-changed AI (provenance): typescript-bot is Microsoft's official automated publishing account for TypeScript; publisher change from 'typescript' account is a known legitimate transition. ai
maintainer-change maintainer-added AI (maintainer-change): All added maintainers are known Microsoft TypeScript team members; legitimate team expansion on npm. ai
maintainer-change maintainer-removed AI (maintainer-change): Removal of generic 'typescript' account in favor of individual team members is a security improvement, not a concern. ai
source-diff large-new-source-files AI (source-diff): Comparison spans v3.3→v3.9 (many minor versions); 28 new files is expected growth for TypeScript's codebase. ai
provenance missing-githead AI (provenance): TypeScript is published by Microsoft's official npm account; gitHead presence varies across their publish tooling over 1300+ versions. Not a security signal for this package. ai
semgrep semgrep:child-process-import AI (semgrep): child_process import is in Jakefile.js (build tooling only), not in any runtime or install-time code. Stable false positive for this package. ai
provenance no-provenance AI (provenance): TypeScript predates Sigstore provenance; older versions will never have attestations. ai
source-diff obfuscated-file:lib/typingsInstaller.js AI (source-diff): TypeScript ships bundled compiler output with long lines from its build process; this is standard for the package, not obfuscation. ai

Versions (showing 51 of 160)

Show 239 prereleases View all versions
Version Deps Published
6.0.3 0 / 42
6.0.2 0 / 42
5.9.3 0 / 44
5.9.2 0 / 44
5.8.3 0 / 44
5.8.2 0 / 44
5.7.3 0 / 44
5.7.2 0 / 44
5.6.3 0 / 45
5.6.2 0 / 45
5.5.4 0 / 40
5.5.3 0 / 40
5.5.2 0 / 40
5.4.5 0 / 41
5.4.4 0 / 41
5.4.3 0 / 41
5.4.2 0 / 41
5.3.3 0 / 41
5.3.2 0 / 41
5.2.2 0 / 42
5.1.6 0 / 42
5.1.5 0 / 42
5.1.3 0 / 42
5.0.4 0 / 41
5.0.3 0 / 41
5.0.2 0 / 41
4.9.5 0 / 55
4.9.4 0 / 55
4.9.3 0 / 55
4.8.4 0 / 60
4.8.3 0 / 60
4.8.2 0 / 60
4.7.4 0 / 59
4.7.3 0 / 59
4.7.2 0 / 59
4.6.4 0 / 67
4.6.3 0 / 67
4.6.2 0 / 67
4.5.5 0 / 67
4.5.4 0 / 67
4.5.3 0 / 67
4.5.2 0 / 67
4.4.4 0 / 69
4.4.3 0 / 69
4.4.2 0 / 69
4.3.5 0 / 69
4.3.4 0 / 69
4.3.3 0 / 69
4.3.2 0 / 69
4.2.4 0 / 69
4.2.3 0 / 69