← Home

xo

npm Repository Homepage

JavaScript/TypeScript linter (ESLint wrapper) with great defaults

3
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

sindresorhus

Keywords

cli-appclixoxoxohappyhappinesscodequalitystylelintlinterjshintjslinteslintvalidatecode stylestandardstrictcheckcheckerverifyenforcehintsimplejavascripttypescript

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
typosquat typosquat.levenshtein:koa AI (typosquat): xo is a legitimate, established package; 2-char name causes spurious Levenshtein matches. ai
typosquat typosquat.levenshtein:got AI (typosquat): xo is a legitimate, established package; 2-char name causes spurious Levenshtein matches. ai
typosquat typosquat.levenshtein:pg AI (typosquat): xo is a legitimate, established package; 2-char name causes spurious Levenshtein matches. ai
typosquat typosquat.levenshtein:qs AI (typosquat): xo is a legitimate, established package; 2-char name causes spurious Levenshtein matches. ai
typosquat typosquat.levenshtein:joi AI (typosquat): xo is a legitimate, established package; 2-char name causes spurious Levenshtein matches. ai
typosquat typosquat.levenshtein:zod AI (typosquat): xo is a legitimate, established package; 2-char name causes spurious Levenshtein matches. ai
npm-metadata url-dep:xo AI (npm-metadata): Self-referential file:. devDependency is standard practice for a tool that lints itself during development. ai
phantom-deps phantom-dep:typescript-eslint AI (phantom-deps): Used as a runtime dep in config; phantom-dep heuristic fires on config-only usage. ai
phantom-deps phantom-dep:@sindresorhus/tsconfig AI (phantom-deps): Referenced in config files; phantom-dep heuristic fires on config-only usage. ai

Versions (showing 3 of 3)

Version Deps Published
2.0.2 29 / 16
2.0.1 29 / 16
2.0.0 29 / 16

v2.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.