@alexlit/config-eslint
Sharable ESLint configuration
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:eslint | AI (phantom-deps): ESLint is a peer/config dependency referenced in config files, not directly imported — expected pattern for ESLint config packages. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Long-lived package with 868 versions and clean diff; dormancy pattern consistent with periodic batch releases. | ai | |
| dependencies | unvetted-dep:eslint-plugin-vitest | AI (dependencies): eslint-plugin-vitest is a well-known ESLint plugin for Vitest; stable false positive for this config package. | ai | |
| dependencies | unvetted-dep:@vitest/eslint-plugin | AI (dependencies): Official Vitest ESLint plugin; expected dependency for this ESLint config package. | ai | |
| dependencies | unvetted-dep:@unocss/eslint-config | AI (dependencies): Well-known UnoCSS ESLint plugin; stable dependency for this ESLint config package. | ai | |
| dependencies | unvetted-dep:@intlify/eslint-plugin-vue-i18n | AI (dependencies): Official intlify Vue i18n ESLint plugin; expected dependency for this ESLint config package. | ai | |
| provenance | no-provenance | AI (provenance): Long-lived package with 868 versions; no provenance has been a stable characteristic, not a new regression. | ai | |
| phantom-deps | phantom-dep:yaml-eslint-parser | AI (phantom-deps): Parser referenced in ESLint config rules, not imported directly; stable false positive. | ai | |
| phantom-deps | phantom-dep:jsonc-eslint-parser | AI (phantom-deps): Parser referenced in ESLint config rules, not imported directly; stable false positive. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): ESLint config packages reference typescript via config, not direct import; stable false positive. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 140.0.0 | 23 / 0 | |
| 139.3.0 | 23 / 0 | |
| 139.2.2 | 23 / 0 | |
| 139.2.1 | 23 / 0 | |
| 139.2.0 | 23 / 0 | |
| 138.7.3 | 23 / 0 | |
| 138.7.2 | 23 / 0 | |
| 138.7.1 | 23 / 0 | |
| 138.7.0 | 23 / 0 | |
| 138.6.0 | 23 / 0 | |
| 138.5.0 | 23 / 0 | |
| 138.4.2 | 23 / 0 | |
| 138.3.0 | 23 / 0 | |
| 138.1.0 | 23 / 0 | |
| 136.2.0 | 23 / 0 | |
| 128.1.0 | 23 / 0 | |
| 121.8.3 | 23 / 0 | |
| 121.8.2 | 23 / 0 | |
| 121.0.0 | 23 / 0 |
v140.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v139.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v139.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v139.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v139.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v138.7.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v138.7.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v138.7.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v138.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v138.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v138.4.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v138.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v138.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v136.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v128.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v121.8.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v121.8.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v121.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.