vscode-pug-languageservice
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are canonical Microsoft LSP packages (vscode-languageserver-textdocument, vscode-languageserver-types), replacing the removed vscode-languageserver dep — a standard refactoring for LSP tooling. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established package (1817 days, 93 versions) with trusted publisher; metadata gaps are stylistic, not malware indicators. | ai | |
| dependencies | unvetted-dep:pug-parser | AI (dependencies): pug-parser is a legitimate, well-known package in the pug template ecosystem; its use is expected and appropriate for a Pug language service. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Established package in the Volar ecosystem with clear repository and purpose; missing description is a cosmetic issue, not a security signal. | ai |
Versions (showing 42 of 42)
| Version | Deps | Published |
|---|---|---|
| 0.31.2 | 8 / 1 | |
| 0.31.0 | 8 / 1 | |
| 0.30.6 | 8 / 1 | |
| 0.30.3 | 8 / 1 | |
| 0.30.2 | 8 / 1 | |
| 0.30.1 | 7 / 2 | |
| 0.30.0 | 7 / 2 | |
| 0.29.6 | 7 / 2 | |
| 0.29.4 | 7 / 2 | |
| 0.29.3 | 7 / 2 | |
| 0.29.2 | 7 / 2 | |
| 0.29.1 | 7 / 2 | |
| 0.29.0 | 7 / 2 | |
| 0.28.10 | 7 / 2 | |
| 0.28.8 | 7 / 2 | |
| 0.28.7 | 7 / 2 | |
| 0.28.6 | 7 / 2 | |
| 0.28.4 | 7 / 2 | |
| 0.28.0 | 7 / 2 | |
| 0.27.24 | 7 / 2 | |
| 0.27.21 | 7 / 2 | |
| 0.27.14 | 7 / 2 | |
| 0.27.11 | 7 / 2 | |
| 0.27.8 | 7 / 2 | |
| 0.27.6 | 7 / 2 | |
| 0.27.4 | 7 / 2 | |
| 0.27.3 | 7 / 2 | |
| 0.26.16 | 7 / 2 | |
| 0.26.15 | 7 / 2 | |
| 0.26.14 | 7 / 2 | |
| 0.26.10 | 7 / 2 | |
| 0.26.9 | 7 / 2 | |
| 0.26.8 | 7 / 2 | |
| 0.26.4 | 7 / 2 | |
| 0.25.26 | 8 / 2 | |
| 0.25.25 | 8 / 2 | |
| 0.25.23 | 8 / 2 | |
| 0.25.20 | 8 / 2 | |
| 0.25.18 | 8 / 2 | |
| 0.25.17 | 8 / 2 | |
| 0.25.1 | 8 / 2 | |
| 0.25.0 | 8 / 2 |
v0.31.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.29.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.29.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.29.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.29.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.29.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.29.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.26.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.26.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.