@cedarjs/eslint-config
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@babel/eslint-parser | AI (phantom-deps): ESLint config; parser loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): ESLint config; Babel parser loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-react | AI (phantom-deps): ESLint config; plugins referenced in config files, not direct imports. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-jsx-a11y | AI (phantom-deps): ESLint config; plugin referenced in config, not direct import. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-jest-dom | AI (phantom-deps): ESLint config; plugin referenced in config, not direct import. | ai | |
| phantom-deps | phantom-dep:@cedarjs/eslint-plugin | AI (phantom-deps): ESLint config; same-org plugin loaded by convention. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-import | AI (phantom-deps): ESLint config; plugin referenced in config, not direct import. | ai | |
| phantom-deps | phantom-dep:@babel/eslint-plugin | AI (phantom-deps): ESLint config; plugin loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-react-hooks | AI (phantom-deps): ESLint config; plugin referenced in config, not direct import. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-prettier | AI (phantom-deps): ESLint config; plugin referenced in config, not direct import. | ai | |
| dependencies | unvetted-dep:eslint-import-resolver-babel-module | AI (dependencies): Established babel-module import resolver; stable false positive for this ESLint config package. | ai | |
| dependencies | unvetted-dep:eslint-plugin-jest-dom | AI (dependencies): Well-known ESLint plugin for jest-dom; stable false positive for this ESLint config package. | ai | |
| dependencies | unvetted-dep:eslint-plugin-react-compiler | AI (dependencies): Official React compiler ESLint plugin; expected dependency for this ESLint config package. | ai | |
| phantom-deps | phantom-dep:eslint | AI (phantom-deps): ESLint config packages reference eslint in config files, not via import; stable false positive for this package type. | ai | |
| phantom-deps | phantom-dep:eslint-import-resolver-babel-module | AI (phantom-deps): Import resolver referenced in ESLint config settings, not directly imported; stable false positive. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/eslint-plugin | AI (phantom-deps): ESLint plugin referenced in config, not imported; stable false positive. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/parser | AI (phantom-deps): Parser referenced in ESLint config, not directly imported; stable false positive. | ai | |
| phantom-deps | phantom-dep:eslint-config-prettier | AI (phantom-deps): ESLint config referenced in config files, not imported; stable false positive. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-babel | AI (phantom-deps): ESLint plugin referenced in config files, not imported; stable false positive for eslint-config packages. | ai | |
| phantom-deps | phantom-dep:@cedarjs/internal | AI (phantom-deps): Same-org sibling dep used in config context; stable false positive. | ai | |
| phantom-deps | phantom-dep:prettier | AI (phantom-deps): Referenced in eslint-config-prettier config, not directly imported; stable false positive. | ai |
Versions (showing 23 of 23)
| Version | Deps | Published |
|---|---|---|
| 4.1.0 | 23 / 2 | |
| 4.0.0 | 23 / 2 | |
| 3.1.1 | 23 / 2 | |
| 3.1.0 | 23 / 2 | |
| 3.0.0 | 23 / 2 | |
| 2.8.1 | 23 / 2 | |
| 2.8.0 | 23 / 2 | |
| 2.7.0 | 23 / 2 | |
| 2.6.0 | 23 / 2 | |
| 2.5.1 | 23 / 2 | |
| 2.4.1 | 23 / 2 | |
| 2.4.0 | 23 / 2 | |
| 2.3.0 | 23 / 2 | |
| 2.1.1 | 23 / 2 | |
| 2.1.0 | 23 / 2 | |
| 2.0.3 | 19 / 2 | |
| 2.0.2 | 19 / 2 | |
| 2.0.1 | 19 / 2 | |
| 2.0.0 | 19 / 2 | |
| 1.1.2 | 19 / 2 | |
| 1.1.1 | 19 / 2 | |
| 1.1.0 | 19 / 2 | |
| 1.0.0 | 19 / 2 |
v4.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.