xml-js — Greenflagged

A convertor between XML text and Javascript object / JSON text.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

nashwaan

Keywords

XMLxmljsJSONjsoncdataCDATAdoctypeprocessing instructionJavascriptjs2xmljson2xmlxml2jsxml2jsontransformtransformertransformingtransformationconvertconvertorconvertingconversionparseparserparsing

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance; publisher is the original author with a clean track record over 3621 days.	ai	2026/04/24
source-diff	net-exec-file:test/browse-jasmine/lib/jasmine-2.5.0/jasmine.js	AI (source-diff): Standard Jasmine 2.5.0 test framework bundle (Pivotal Labs, MIT). Test-only asset, not runtime code. Network+exec patterns are normal for test frameworks.	ai	2026/04/24
source-diff	net-exec-file:test/browse-jasmine/lib/jasmine-2.5.2/jasmine.js	AI (source-diff): This is the standard Jasmine 2.5.2 test framework library (from Pivotal Labs) bundled for browser test running. Not malicious.	ai	2026/04/24
semgrep	semgrep:eval-usage	AI (semgrep): eval() is in vendored Jasmine test framework code, not in the package's runtime library. Standard Jasmine pattern.	ai	2026/04/24
source-diff	net-exec-file:jasmine/lib/jasmine-2.5.0/jasmine.js	AI (source-diff): Standard Jasmine 2.5.0 test framework library (Pivotal Labs); not runtime code. Network+exec pattern is Jasmine internals.	ai	2026/04/24
source-diff	net-exec-file:dist/xml-js.js	AI (source-diff): Standard webpack bundle output for browser distribution; dynamic require and module.call are webpack boilerplate, not malicious network/exec patterns.	ai	2026/04/24
source-diff	source-size-tripled	AI (source-diff): Size increase is from adding webpack dist bundles for browser use; consistent with the new build script.	ai	2026/04/24
source-diff	net-exec-file:dist/xml-js.min.js	AI (source-diff): Minified webpack bundle of the same library; same false positive as the unminified version.	ai	2026/04/24

Versions (showing 49 of 49)

Version	Deps	Published
1.6.11	1 / 25	2019-02-13
1.6.10	1 / 25	2019-02-13
1.6.9	1 / 25	2019-01-11
1.6.8	1 / 25	2018-09-20
1.6.7	1 / 25	2018-07-03
1.6.6	1 / 25	2018-07-03
1.6.5	1 / 25	2018-07-03
1.6.4	1 / 25	2018-05-24
1.6.3	1 / 25	2018-05-18
1.6.2	1 / 25	2018-01-03
1.6.1	1 / 17	2017-12-18
1.6.0	1 / 16	2017-12-17
1.5.2	1 / 14	2017-11-10
1.5.1	1 / 14	2017-10-03
1.5.0	1 / 14	2017-10-02
1.4.2	1 / 14	2017-09-12
1.4.1	1 / 14	2017-08-21
1.4.0	1 / 14	2017-08-19
1.3.4	1 / 14	2017-08-16
1.3.3	1 / 14	2017-08-13
1.3.2	1 / 14	2017-05-25
1.3.1	1 / 14	2017-05-25
1.3.0	1 / 14	2017-05-21
1.2.2	1 / 14	2017-04-27
1.2.1	1 / 14	2017-04-27
1.2.0	1 / 14	2017-04-27
1.1.0	1 / 14	2017-04-27
1.0.2	1 / 15	2017-01-25
1.0.1	1 / 15	2017-01-25
1.0.0	1 / 15	2017-01-13
0.9.7	1 / 14	2016-11-04
0.9.6	1 / 14	2016-11-01
0.9.5	1 / 14	2016-09-07
0.9.4	1 / 14	2016-09-06
0.9.3	1 / 16	2016-06-11
0.9.2	1 / 16	2016-06-07
0.9.1	1 / 16	2016-06-06
0.9.0	1 / 16	2016-06-06
0.8.9	1 / 17	2016-06-06
0.8.8	1 / 17	2016-06-05
0.8.7	1 / 17	2016-06-02
0.8.6	1 / 17	2016-06-02
0.8.5	1 / 17	2016-06-01
0.8.4	1 / 17	2016-05-31
0.8.3	1 / 17	2016-05-31
0.8.2	1 / 17	2016-05-31
0.8.1	1 / 17	2016-05-31
0.8.0	1 / 17	2016-05-30
0.1.0	1 / 16	2016-05-25

v1.6.11

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.10

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.3

3 findings

HIGH New file with network + code execution: dist/xml-js.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/xml-js.min.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.2

3 findings

HIGH New file with network + code execution: dist/xml-js.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/xml-js.min.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.5.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.5.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.6

2 findings

HIGH New file with network + code execution: test/browse-jasmine/lib/jasmine-2.5.2/jasmine.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.5

2 findings

HIGH New file with network + code execution: test/browse-jasmine/lib/jasmine-2.5.0/jasmine.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.4

2 findings

HIGH New file with network + code execution: jasmine/lib/jasmine-2.5.0/jasmine.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.