@atlaskit/jql-autocomplete Apache-2.0 3 versions

@atlaskit/jql-autocomplete

npm Repository Homepage

JQL autocomplete engine

Versions

Apache-2.0

License

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

atlassianartifactteam

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	large-new-source-files	AI (source-diff): File count increase matches dep removal/inlining refactor in a well-established Atlassian package.	ai	2026/05/14
dependencies	unvetted-dep:antlr4-c3	AI (dependencies): antlr4-c3 is a well-known ANTLR4 code completion core library; appropriate for a JQL autocomplete engine.	ai	2026/04/24
dependencies	unvetted-dep:@atlaskit/jql-parser	AI (dependencies): Sister Atlaskit package from the same Atlassian monorepo; legitimate sibling dependency.	ai	2026/04/24
dependencies	unvetted-dep:antlr4ts	AI (dependencies): antlr4ts is the official TypeScript runtime for ANTLR4 parser generator; a legitimate and expected dependency for a JQL autocomplete engine.	ai	2026/04/24
phantom-deps	phantom-dep:assert	AI (phantom-deps): Explicitly excluded from no-unused-dependencies check in package.json stricter config; intentionally declared as browser polyfill.	ai	2026/04/24
bogus-package	bogus-package	AI (bogus-package): Short README and missing keywords are cosmetic issues common in Atlaskit component library packages; package has clear description and legitimate Atlassian metadata.	ai	2026/04/24
phantom-deps	phantom-dep:util	AI (phantom-deps): Explicitly excluded from no-unused-dependencies check in package.json stricter config; intentionally declared as browser polyfill.	ai	2026/04/24

Versions (showing 3 of 3)

Version	Deps	Published
2.1.0	6 / 2	2026-05-13
2.0.3	6 / 2	2025-11-14
2.0.2	6 / 2	2025-08-25

v2.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.