@2digits/oxlint-config — Greenflagged

Minimal Oxlint config for 2digits projects.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

2-digits-adminv1re

Keywords

oxlint-config

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/typescript-DfbtfaAy.mjs	AI (source-diff): Same minified build artifact pattern; content is ESLint/TypeScript config rules, not malicious code.	ai	2026/06/02
source-diff	obfuscated-file:dist/base-BARFyOjH.mjs	AI (source-diff): Minified ESM output from vp pack --minify; content is plainly readable ESLint config rules, not obfuscation.	ai	2026/06/02
source-diff	obfuscated-file:dist/base-VU2GwQZ2.mjs	AI (source-diff): Minified ESM build output from vite-plus --minify; content is plainly readable ESLint rule config, not obfuscated.	ai	2026/06/01
source-diff	obfuscated-file:dist/typescript-JohfbQYF.mjs	AI (source-diff): Same minified ESM build pattern; content is readable TypeScript/React linting config.	ai	2026/06/01
source-diff	obfuscated-file:dist/base-vN2IXLZC.mjs	AI (source-diff): Minified ESM build output from vite-plus; content is readable linting config, not obfuscated malware.	ai	2026/06/01
source-diff	obfuscated-file:dist/base-BWpaMSn8.mjs	AI (source-diff): Minified ESM bundle from documented `vp pack --minify` build; content is plaintext ESLint rule config, no obfuscation.	ai	2026/05/31
source-diff	obfuscated-file:dist/typescript-8FIHWB16.mjs	AI (source-diff): Same minified ESM bundle pattern; content is readable ESLint/React rule config, not obfuscated.	ai	2026/05/31
dependencies	unvetted-dep:eslint-plugin-react-compiler	AI (dependencies): RC dep used as a linting plugin in a config package; no code execution risk beyond lint tooling.	ai	2026/05/30
source-diff	obfuscated-file:dist/typescript-DfLVHeOZ.mjs	AI (source-diff): Minified build artifact from documented vite-plus bundler; content is plaintext ESLint config rules, not obfuscated malware.	ai	2026/05/30
source-diff	obfuscated-file:dist/base-CubgQYkc.mjs	AI (source-diff): Minified ESM bundle from documented `vp pack --minify` build step; content is readable lint rule config.	ai	2026/05/18
source-diff	obfuscated-file:dist/typescript-_a50A5d0.mjs	AI (source-diff): Same as above; minified TypeScript lint rule config, no obfuscation or malicious payload.	ai	2026/05/18
source-diff	obfuscated-file:dist/base-C5gwW2B4.mjs	AI (source-diff): Minified bundle output from vite-plus --minify; content is plaintext ESLint rule config, not obfuscated malware.	ai	2026/05/01
source-diff	obfuscated-file:dist/typescript-O3-OTkkO.mjs	AI (source-diff): Same as above — minified linting config bundle, no suspicious payload.	ai	2026/05/01
source-diff	obfuscated-file:dist/typescript-DTWkDXOd.mjs	AI (source-diff): Same as above — minified build output with readable lint rule config content.	ai	2026/05/01
source-diff	obfuscated-file:dist/base-Dj4ykcw8.mjs	AI (source-diff): Minified ESM bundle from vite-plus --minify; content is plainly readable lint rule config, not obfuscated.	ai	2026/05/01
source-diff	obfuscated-file:dist/typescript-ln2RdhN7.mjs	AI (source-diff): Minified build output of TypeScript oxlint rule config; no malicious content.	ai	2026/05/01
source-diff	obfuscated-file:dist/base-DMlZWXG4.mjs	AI (source-diff): Minified build output of oxlint rule config; content is plainly readable ESLint/oxlint rules, not obfuscation.	ai	2026/05/01
phantom-deps	phantom-dep:defu	AI (phantom-deps): Config package re-exports/uses deps without direct JS imports; stable pattern for this package type.	ai	2026/04/29
phantom-deps	phantom-dep:eslint-plugin-react-compiler	AI (phantom-deps): ESLint plugin referenced in config files, not direct JS imports; expected for config packages.	ai	2026/04/29
phantom-deps	phantom-dep:@stylistic/eslint-plugin	AI (phantom-deps): ESLint plugin referenced in config files, not direct JS imports; expected for config packages.	ai	2026/04/29
phantom-deps	phantom-dep:@2digits/constants	AI (phantom-deps): Same-org dep used in config files, not direct JS imports; expected pattern.	ai	2026/04/29

Versions (showing 16 of 16)

Version	Deps	Published
0.6.8	4 / 10	2026-05-19
0.6.7	4 / 10	2026-05-13
0.6.6	4 / 10	2026-05-11
0.6.5	4 / 11	2026-05-03
0.6.4	4 / 11	2026-04-27
0.6.3	4 / 11	2026-04-21
0.6.2	4 / 11	2026-04-16
0.6.1	4 / 11	2026-04-09
0.6.0	4 / 11	2026-04-07
0.5.0	4 / 11	2026-04-03
0.4.0	2 / 11	2026-04-01
0.3.0	2 / 11	2026-03-31
0.2.0	2 / 11	2026-03-31
0.1.1	1 / 11	2026-03-30
0.1.0	1 / 11	2026-03-25
0.0.1	1 / 11	2026-03-25

v0.6.8

3 findings

HIGH New obfuscated file: dist/base-BARFyOjH.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/typescript-DfbtfaAy.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.7

3 findings

HIGH New obfuscated file: dist/base-VU2GwQZ2.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/typescript-8FIHWB16.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.6

3 findings

HIGH New obfuscated file: dist/base-BWpaMSn8.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/typescript-8FIHWB16.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.5

3 findings

HIGH New obfuscated file: dist/base-vN2IXLZC.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/typescript-JohfbQYF.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.5.0

2 findings

HIGH New obfuscated file: dist/typescript-DfLVHeOZ.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.0

3 findings

HIGH New obfuscated file: dist/base-CubgQYkc.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/typescript-_a50A5d0.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.