← Home

@herb-tools/language-server

npm Repository Homepage

Herb HTML+ERB Language Tools and Language Server Protocol integration.

36
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

marcoroth

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff net-exec-file:dist/index.cjs AI (source-diff): Network and child_process imports are required by the LSP protocol implementation; no dropper behavior present. ai
source-diff obfuscated-file:dist/index.cjs AI (source-diff): Standard rollup CJS bundle output; minified lines are expected for this language-server package. ai
source-diff encoded-string-file:dist/index.cjs AI (source-diff): Same inline WASM blob in the CJS build. Legitimate Emscripten output; not a malicious payload. ai
source-diff encoded-string-file:dist/herb-language-server.js AI (source-diff): The encoded string is a base64-encoded WebAssembly binary (AGFzbQ prefix = WASM magic bytes). Shipping WASM as base64 in a JS bundle is standard practice for this package; stable false positive. ai
dependencies unvetted-dep:@herb-tools/linter AI (dependencies): Sibling package in the same herb-tools monorepo, same author and versioning scheme. Intra-monorepo dependency; not a meaningful risk for this package. ai
phantom-deps phantom-dep:dedent AI (phantom-deps): dedent is declared as a runtime dependency in package.json; the phantom-dep finding reflects it not being directly imported in source, which is a packaging style choice, not a security concern. ai
provenance no-provenance AI (provenance): Established package with 36 versions and 9.6k weekly downloads; lack of Sigstore provenance is common and not a security signal for this package. ai

Versions (showing 36 of 36)

Version Deps Published
0.10.1 9 / 1
0.10.0 9 / 1
0.9.7 9 / 1
0.9.6 9 / 1
0.9.5 9 / 1
0.9.4 9 / 1
0.9.3 9 / 1
0.9.2 9 / 1
0.9.1 9 / 1
0.9.0 9 / 1
0.8.10 7 / 0
0.8.9 7 / 0
0.8.8 7 / 0
0.8.7 7 / 0
0.8.6 7 / 0
0.8.5 7 / 0
0.8.4 7 / 0
0.8.3 7 / 0
0.8.2 7 / 0
0.8.1 7 / 0
0.8.0 7 / 0
0.7.5 6 / 1
0.7.4 6 / 1
0.7.3 6 / 1
0.7.2 6 / 1
0.7.1 6 / 1
0.7.0 6 / 1
0.6.1 6 / 1
0.6.0 6 / 1
0.5.0 6 / 1
0.4.3 6 / 1
0.4.2 6 / 1
0.4.1 6 / 1
0.4.0 6 / 0
0.3.1 5 / 5
0.3.0 5 / 5

v0.10.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.7

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.6

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.5

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.10

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.9

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.8

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.7

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.6

2 findings
HIGH Long encoded string in modified file: dist/herb-language-server.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.5

2 findings
HIGH Long encoded string in modified file: dist/herb-language-server.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.4

2 findings
HIGH Long encoded string in modified file: dist/herb-language-server.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.3

2 findings
HIGH Long encoded string in modified file: dist/herb-language-server.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.2

2 findings
HIGH Long encoded string in modified file: dist/herb-language-server.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.1

3 findings
HIGH Long encoded string in modified file: dist/herb-language-server.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/index.cjs source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.