vanilla-jsoneditor
A web-based tool to view, edit, format, transform, and validate JSON
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:ajv-dist | AI (phantom-deps): Legitimate runtime dependency for JSON schema validation; used indirectly through build system. | ai | |
| phantom-deps | phantom-dep:classnames | AI (phantom-deps): Utility library for CSS class management; common in Svelte projects, used indirectly. | ai | |
| phantom-deps | phantom-dep:codemirror | AI (phantom-deps): Core editor dependency; used indirectly through Svelte components and build bundling. | ai | |
| phantom-deps | phantom-dep:svelte-select | AI (phantom-deps): Svelte component library; used indirectly through Svelte build system. | ai | |
| phantom-deps | phantom-dep:svelte-awesome | AI (phantom-deps): Icon library for Svelte; used indirectly through component bundling. | ai | |
| phantom-deps | phantom-dep:vanilla-picker | AI (phantom-deps): Color picker library; used indirectly through Svelte components. | ai | |
| phantom-deps | phantom-dep:svelte-simple-modal | AI (phantom-deps): Modal component library; used indirectly through Svelte build system. | ai | |
| phantom-deps | phantom-dep:@fontsource/fira-mono | AI (phantom-deps): Font dependency; used indirectly through CSS bundling. | ai | |
| phantom-deps | phantom-dep:@fortawesome/free-solid-svg-icons | AI (phantom-deps): Icon library; used indirectly through Svelte components. | ai | |
| provenance | no-provenance | AI (provenance): Missing provenance is common (~88% of npm packages); not indicative of compromise for established, trusted publisher. | ai | |
| source-diff | encoded-string-file:index.js | AI (source-diff): The 'encoded strings' are minified lodash ES module export maps — standard bundled output for a UI library. Not obfuscated payloads; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:sass | AI (phantom-deps): sass is a legitimate build dependency referenced in config; common in projects using SCSS tooling. | ai | |
| phantom-deps | phantom-dep:@replit/codemirror-indentation-markers | AI (phantom-deps): Declared dependency referenced in config; expected pattern for bundled library with optional/peer-like usage. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() in minified bundled code with source map; expected pattern in compiled output, not obfuscation. | ai | |
| source-diff | encoded-string-file:standalone.js | AI (source-diff): Encoded strings are FontAwesome icon SVG data in bundled output; legitimate for a JSON editor UI library. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() in minified bundled code; common in template engines and build output, not a malware indicator here. | ai | |
| dependencies | unvetted-dep:jsonpath-plus | AI (dependencies): jsonpath-plus is a legitimate JSON path query library; reasonable version constraint (^9.0.0) and appropriate for a JSON editor tool. | ai | |
| phantom-deps | phantom-dep:@codemirror/view | AI (phantom-deps): Same bundled distribution pattern — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@lezer/highlight | AI (phantom-deps): Same bundled distribution pattern — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@codemirror/state | AI (phantom-deps): Same bundled distribution pattern — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@codemirror/search | AI (phantom-deps): Same bundled distribution pattern — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@codemirror/commands | AI (phantom-deps): Same bundled distribution pattern — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@codemirror/language | AI (phantom-deps): Same bundled distribution pattern — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:natural-compare-lite | AI (phantom-deps): Same bundled distribution pattern — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@codemirror/lang-json | AI (phantom-deps): Same bundled distribution pattern — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@codemirror/autocomplete | AI (phantom-deps): Same bundled distribution pattern — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@jsonquerylang/jsonquery | AI (phantom-deps): Same bundled distribution pattern — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:codemirror-wrapped-line-indent | AI (phantom-deps): Same bundled distribution pattern — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@fortawesome/free-regular-svg-icons | AI (phantom-deps): Same bundled distribution pattern — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:lodash-es | AI (phantom-deps): Same bundled distribution pattern — declared as runtime dependency for consumers, not directly imported in analyzed source. | ai | |
| phantom-deps | phantom-dep:jmespath | AI (phantom-deps): vanilla-jsoneditor ships pre-bundled output; declared deps are runtime peer deps not directly imported in the bundle's source. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:jsonrepair | AI (phantom-deps): Same bundled distribution pattern — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:memoize-one | AI (phantom-deps): Same bundled distribution pattern — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:jsonpath-plus | AI (phantom-deps): Same bundled distribution pattern — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:diff-sequences | AI (phantom-deps): Same bundled distribution pattern — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:json-source-map | AI (phantom-deps): Same bundled distribution pattern — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@codemirror/lint | AI (phantom-deps): Same bundled distribution pattern — stable false positive for this package. | ai |
Versions (showing 51 of 126)
| Version | Deps | Published |
|---|---|---|
| 3.12.0 | 26 / 0 | |
| 3.11.0 | 26 / 0 | |
| 3.10.0 | 26 / 0 | |
| 3.9.0 | 26 / 0 | |
| 3.8.0 | 26 / 0 | |
| 3.7.0 | 26 / 0 | |
| 3.6.1 | 26 / 0 | |
| 3.6.0 | 26 / 0 | |
| 3.5.0 | 26 / 0 | |
| 3.4.0 | 26 / 0 | |
| 3.3.1 | 26 / 0 | |
| 3.3.0 | 26 / 0 | |
| 3.2.0 | 26 / 0 | |
| 3.1.1 | 26 / 0 | |
| 3.1.0 | 26 / 0 | |
| 3.0.0 | 26 / 0 | |
| 2.4.0 | 26 / 0 | |
| 2.3.3 | 26 / 0 | |
| 2.3.2 | 26 / 0 | |
| 2.3.1 | 26 / 0 | |
| 2.3.0 | 26 / 0 | |
| 2.2.1 | 26 / 0 | |
| 2.2.0 | 26 / 0 | |
| 2.1.0 | 26 / 0 | |
| 2.0.2 | 27 / 0 | |
| 2.0.1 | 27 / 0 | |
| 2.0.0 | 27 / 0 | |
| 1.1.2 | 27 / 0 | |
| 1.1.1 | 27 / 0 | |
| 1.1.0 | 27 / 0 | |
| 1.0.8 | 27 / 0 | |
| 1.0.7 | 27 / 0 | |
| 1.0.6 | 27 / 0 | |
| 1.0.5 | 27 / 0 | |
| 1.0.4 | 27 / 0 | |
| 1.0.3 | 27 / 0 | |
| 1.0.2 | 27 / 0 | |
| 1.0.1 | 27 / 0 | |
| 1.0.0 | 27 / 0 | |
| 0.23.8 | 25 / 0 | |
| 0.23.7 | 25 / 0 | |
| 0.23.6 | 25 / 0 | |
| 0.23.5 | 25 / 0 | |
| 0.23.4 | 25 / 0 | |
| 0.23.3 | 25 / 0 | |
| 0.19.0 | 4 / 0 | |
| 0.18.13 | 4 / 0 | |
| 0.18.12 | 4 / 0 | |
| 0.18.11 | 4 / 0 | |
| 0.18.10 | 4 / 0 | |
| 0.18.9 | 4 / 0 |
v3.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.18.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.18.12
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.18.11
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.18.10
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.18.9
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.