uglify-js
JavaScript parser, mangler/compressor and beautifier toolkit
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decode in lib/minify.js is used to decode inline source maps — a documented, legitimate feature of uglify-js. Not a malicious payload vector. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): commander is a declared runtime dep used by the CLI binary (bin/uglifyjs); not imported in the library entry point but legitimately used. Stable false positive for this package. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() is an intentional, documented pattern in uglify-js for dynamically constructing AST node class constructors. Not malicious; stable across versions of this package. | ai | |
| phantom-deps | phantom-dep:async | AI (phantom-deps): async is a declared runtime dependency used in build/config context; phantom-dep finding is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:uglify-to-browserify | AI (phantom-deps): uglify-to-browserify is a declared dependency used as a browserify transform in package.json config; phantom-dep finding is a false positive for this package. | ai |
Versions (showing 49 of 249)
| Version | Deps | Published |
|---|---|---|
| 2.8.10 | 3 / 5 | |
| 2.8.9 | 3 / 5 | |
| 2.8.8 | 3 / 5 | |
| 2.8.7 | 3 / 5 | |
| 2.8.6 | 3 / 5 | |
| 2.8.5 | 4 / 5 | |
| 2.8.4 | 4 / 5 | |
| 2.8.3 | 4 / 5 | |
| 2.8.2 | 4 / 5 | |
| 2.8.1 | 4 / 5 | |
| 2.8.0 | 4 / 5 | |
| 2.7.5 | 4 / 5 | |
| 2.7.4 | 4 / 5 | |
| 2.7.3 | 4 / 5 | |
| 2.7.2 | 4 / 5 | |
| 2.7.1 | 4 / 5 | |
| 2.7.0 | 4 / 5 | |
| 2.6.4 | 4 / 5 | |
| 2.6.3 | 4 / 5 | |
| 2.6.2 | 4 / 5 | |
| 2.6.1 | 4 / 4 | |
| 2.6.0 | 4 / 4 | |
| 1.3.5 | 0 / 1 | |
| 1.3.4 | 0 / 1 | |
| 1.3.3 | 0 / 1 | |
| 1.3.2 | 0 / 1 | |
| 1.3.1 | 0 / 1 | |
| 1.3.0 | 0 / 1 | |
| 1.2.6 | 0 / 0 | |
| 1.2.5 | 0 / 0 | |
| 1.2.4 | 0 / 0 | |
| 1.2.3 | 0 / 0 | |
| 1.2.2 | 0 / 0 | |
| 1.2.1 | 0 / 0 | |
| 1.2.0 | 0 / 0 | |
| 1.1.1 | 0 / 0 | |
| 1.1.0 | 0 / 0 | |
| 1.0.7 | 0 / 0 | |
| 1.0.6 | 0 / 0 | |
| 1.0.5 | 0 / 0 | |
| 1.0.4 | 0 / 0 | |
| 1.0.3 | 0 / 0 | |
| 1.0.2 | 0 / 0 | |
| 1.0.1 | 0 / 0 | |
| 0.0.5 | 0 / 0 | |
| 0.0.4 | 0 / 0 | |
| 0.0.3 | 0 / 0 | |
| 0.0.2 | 0 / 0 | |
| 0.0.1 | 0 / 0 |
v2.8.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.