z-schema
Fast, lightweight JSON Schema validator for Node.js and browsers — full support for draft-04, draft-06, draft-07, draft-2019-09, and draft-2020-12 (latest)
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:cjs/index.cjs | AI (source-diff): cjs/index.cjs is a Rollup-bundled CJS output explicitly referenced in package.json exports. The 'network+exec' pattern is from bundled validator/lodash deps, not malicious code. | ai | |
| source-diff | net-exec-file:cjs/ZSchema.cjs | AI (source-diff): CJS bundle generated by Rollup; 'network' and 'dynamic exec' patterns are lodash/validator boilerplate and cross-env global detection idioms, not malicious code. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Package restructured to multi-format distribution (ESM/CJS/UMD); large file count increase is expected and consistent with build tooling changes. | ai | |
| source-diff | net-exec-file:cjs/ZSchema.js | AI (source-diff): Rollup-bundled CJS build artifact containing lodash/validator dependencies. UMD boilerplate and lodash's Function('return this')() idiom trigger the rule; no actual network+exec malware pattern. | ai | |
| source-diff | net-exec-file:umd/ZSchema.min.js | AI (source-diff): Minified UMD build artifact from rollup+terser. Same false positive pattern as the unminified UMD file; no malicious network+exec behavior. | ai | |
| source-diff | net-exec-file:umd/ZSchema.js | AI (source-diff): Rollup-bundled UMD build artifact. Standard UMD factory pattern and lodash global detection trigger the rule; no actual dropper/loader behavior. | ai | |
| source-diff | net-exec-file:cjs/index.js | AI (source-diff): File is a standard CJS rollup bundle inlining lodash deps. 'Network+exec' trigger is UMD boilerplate and Function('return this')() global detection, not malware. | ai | |
| source-diff | net-exec-file:dist/ZSchema.cjs | AI (source-diff): Standard rollup CJS bundle artifact. 'Network' patterns are from bundled validator/lodash deps, not actual network calls. No malicious behavior present. | ai | |
| source-diff | net-exec-file:dist/ZSchema-umd-min.js | AI (source-diff): Standard rollup UMD minified bundle for browser distribution. Patterns are from bundled deps, not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/ZSchema-umd.js | AI (source-diff): Standard rollup UMD bundle artifact. Same false-positive pattern as the other dist files. | ai | |
| source-diff | obfuscated-file:dist/ZSchema-umd-min.js | AI (source-diff): Minified by @rollup/plugin-terser as documented in devDependencies. Expected browser distribution artifact for this package. | ai | |
| source-diff | net-exec-file:dist/ZSchema-browser.js | AI (source-diff): UMD bundle with require/module patterns; expected in browserified output. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase due to addition of browser bundle artifacts (dist/); legitimate build output, not payload injection. | ai | |
| source-diff | net-exec-file:dist/ZSchema-browser-min.js | AI (source-diff): UMD bundle with require/module patterns; expected in browserified output, not a malware indicator. | ai | |
| source-diff | net-exec-file:dist/ZSchema-browser-test.js | AI (source-diff): UMD bundle with require/module patterns; expected in browserified test output. | ai | |
| source-diff | obfuscated-file:dist/ZSchema-browser-min.js | AI (source-diff): Minified browser bundle artifact; standard build output for packages shipping UMD/browserified distributions. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): Commander is optional dependency for CLI; referenced in build config but not directly imported in source—normal pattern. | ai | |
| source-diff | obfuscated-file:dist/ZSchema-browser-test.js | AI (source-diff): Minified test bundle artifact; standard build output for browser test distribution. | ai | |
| dependencies | unvetted-dep:request | AI (dependencies): Request is optional dependency for CLI; widely-used and established package, no security concern. | ai | |
| dependencies | unvetted-dep:bluebird | AI (dependencies): bluebird is a well-known, widely-used Promise library. Its inclusion here is consistent with the package's age and use case. No malicious history. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependencies (validator, lodash.get, commander) are all established packages appropriate for schema validation and CLI support. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance by many years; no provenance is expected and not a risk signal for this established package. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): z-schema legitimately decodes base64 values as part of JSON schema validation (e.g., data URIs). The flagged code is standard Buffer.from(..., 'base64') with no obfuscation or network activity. | ai |
Versions (showing 24 of 124)
| Version | Deps | Published |
|---|---|---|
| 2.2.1 | 1 / 7 | |
| 2.2.0 | 1 / 7 | |
| 2.1.0 | 1 / 7 | |
| 2.0.5 | 1 / 7 | |
| 2.0.4 | 1 / 7 | |
| 2.0.3 | 1 / 7 | |
| 2.0.2 | 1 / 7 | |
| 2.0.1 | 1 / 7 | |
| 2.0.0 | 1 / 7 | |
| 1.5.1 | 1 / 3 | |
| 1.5.0 | 1 / 3 | |
| 1.4.4 | 1 / 3 | |
| 1.4.3 | 1 / 3 | |
| 1.4.2 | 1 / 3 | |
| 1.4.0 | 1 / 3 | |
| 1.2.0 | 1 / 3 | |
| 1.1.2 | 1 / 3 | |
| 1.1.1 | 1 / 3 | |
| 1.0.0 | 1 / 3 | |
| 7.0.0-beta.5 | 3 / 35 | |
| 7.0.0-beta.4 | 3 / 35 | |
| 7.0.0-beta.3 | 3 / 35 | |
| 7.0.0-beta.2 | 3 / 35 | |
| 7.0.0-beta.1 | 3 / 34 |
v2.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.0-beta.5
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0-beta.4
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0-beta.3
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0-beta.2
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0-beta.1
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.