All @bpmn-io/lang-feel versions
@bpmn-io/lang-feel @3.0.0
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
53
Risk Score
MIT
License
No
Install Scripts
4
Dependencies
24
Dev Dependencies
9.0 KB
Package Size
Published
FEEL language support for the CodeMirror code editor
Maintainers
bpmn-io-adminnikkubarmacphilippfrommemaxtruskaiir-camundavsgoulartjarekdanielaksimon-steinruecken-camunda
Keywords
editorcode
Dependencies (4)
| Package | Constraint | Registry Status |
|---|---|---|
| @lezer/common | ^1.4.0 | auto_approved |
| @bpmn-io/lezer-feel | ^2.0.0 | No greenflagged match |
| @codemirror/language | ^6.11.3 | auto_approved |
| @codemirror/autocomplete | ^6.20.0 | auto_approved |
Dev Dependencies (24)
| Package | Constraint | Registry Status |
|---|---|---|
| chai | ^6.2.1 | auto_approved |
| karma | ^6.4.4 | auto_approved |
| mocha | ^11.7.5 | auto_approved |
| eslint | ^9.39.1 | auto_approved |
| min-dom | ^5.1.1 | auto_approved |
| webpack | ^5.103.0 | auto_approved |
| puppeteer | ^24.31.0 | auto_approved |
| ts-loader | ^9.5.4 | auto_approved |
| codemirror | ^6.0.2 | auto_approved |
| typescript | ^5.9.3 | auto_approved |
| karma-mocha | ^2.0.1 | auto_approved |
| microbundle | ^0.15.1 | auto_approved |
| @types/mocha | ^10.0.10 | auto_approved |
| npm-run-all2 | ^8.0.4 | auto_approved |
| karma-webpack | ^5.0.1 | auto_approved |
| @codemirror/view | ^6.38.8 | auto_approved |
| @codemirror/state | ^6.5.2 | auto_approved |
| @types/karma-chai | ^0.1.8 | Not imported |
| typescript-eslint | ^8.48.0 | auto_approved |
| @types/karma-mocha | ^1.3.4 | Not imported |
| karma-debug-launcher | ^0.0.5 | Not imported |
| eslint-plugin-bpmn-io | ^2.0.0 | Not imported |
| karma-chrome-launcher | ^3.2.0 | auto_approved |
| karma-env-preprocessor | ^0.1.1 | Not imported |
Transitive Dependency Tree
12 transitive deps
max depth 5
├─
@bpmn-io/lezer-feel
^2.0.0
├─
@codemirror/autocomplete
^6.20.0
→ 6.20.3
├─
@codemirror/language
^6.11.3
→ 6.12.3
├─
@lezer/common
^1.4.0
→ 1.5.2
├─
@codemirror/language
^6.0.0
→ 6.12.3
├─
@codemirror/state
^6.0.0
→ 6.6.0
├─
@codemirror/view
^6.23.0
→ 6.43.1
├─
@codemirror/view
^6.17.0
→ 6.43.1
├─
@lezer/common
^1.5.0
→ 1.5.2
├─
@lezer/common
^1.0.0
→ 1.5.2
├─
@lezer/highlight
^1.0.0
→ 1.2.3
├─
@lezer/lr
^1.0.0
→ 1.4.10
├─
style-mod
^4.0.0
├─
@codemirror/state
^6.6.0
→ 6.6.0
├─
@codemirror/state
^6.0.0
→ 6.6.0
├─
@codemirror/view
^6.23.0
→ 6.43.1
├─
@lezer/common
^1.5.0
→ 1.5.2
├─
@lezer/common
^1.0.0
→ 1.5.2
├─
@lezer/common
^1.3.0
→ 1.5.2
├─
@lezer/highlight
^1.0.0
→ 1.2.3
├─
@lezer/lr
^1.0.0
→ 1.4.10
├─
@marijn/find-cluster-break
^1.0.0
→ 1.0.2
├─
crelt
^1.0.6
→ 1.0.6
├─
style-mod
^4.1.0
→ 4.1.3
├─
style-mod
^4.0.0
├─
w3c-keyname
^2.2.4
→ 2.2.8
├─
@codemirror/state
^6.6.0
→ 6.6.0
├─
@lezer/common
^1.3.0
→ 1.5.2
├─
@lezer/common
^1.0.0
→ 1.5.2
├─
@marijn/find-cluster-break
^1.0.0
→ 1.0.2
├─
crelt
^1.0.6
→ 1.0.6
├─
style-mod
^4.1.0
→ 4.1.3
├─
w3c-keyname
^2.2.4
→ 2.2.8
├─
@marijn/find-cluster-break
^1.0.0
→ 1.0.2
Risk Dispositions (1 applicable to this version, 1 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
bogus-package |
bogus-package | reject | AI | AI (bogus-package): SPAM-FLAGGED publisher barinali is a maintainer; generalizes to all versions published by this actor. |
Show 1 disposition(s) that do not match any finding on this version
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
publisher-changed |
provenance | reject | AI | AI (provenance): Publisher changed to SPAM-FLAGGED account barinali; strong takeover signal that generalizes. |
SAST Findings (2)
CRITICAL
Low-value / spam package indicators (2 signals, score 5)
bogus-package
[Always reject] Matched 2 signal(s), weighted score 5: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: simon-steinruecken-camunda, bpmn-io-admin, jarekdanielak. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
Review Summary
Risk score: 53. Findings: 1 critical (+40), 1 medium (+10), 1 low (+3), 1 info (+0).
Commit: 6c4778123c5e Browse source
Published to npm: