← Home

@codingame/monaco-vscode-api

npm Repository Homepage
8
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

nonofrsamuel.oliviernantoniazzimaximecgcodingame_team

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:toplevel-fetch AI (semgrep): fetch() in tree-sitter.js loads WASM binary; standard Emscripten/WASM loading pattern. ai
semgrep semgrep:eval-usage AI (semgrep): eval() in tree-sitter.js is Emscripten EM_ASM pattern; not user-controlled input. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): 127.0.0.1 is a localhost OAuth redirect URI in VSCode's oauth.js; not exfiltration. ai
semgrep semgrep:new-function-constructor AI (semgrep): new Function() is VSCode's extension host loader pattern; stable across versions. ai

Versions (showing 8 of 8)

Version Deps Published
33.0.3 11 / 0
31.0.1 11 / 0
31.0.0 11 / 0
30.0.1 11 / 0
30.0.0 11 / 0
29.1.1 11 / 0
29.1.0 11 / 0
29.0.0 11 / 0

v33.0.3

2 findings
HIGH Publisher changed: samuel.olivier → GitHub Actions (on 2026-05-22) provenance

This version was published by a different npm account than previous versions on 2026-05-22. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v31.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v31.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v30.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v30.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v29.1.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v29.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v29.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.