@intlayer/chokidar
Uses chokidar to scan and build Intlayer declaration files into dictionaries based on Intlayer configuration.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/cjs/transformFiles/transformFiles.cjs | AI (source-diff): Standard rolldown/tsdown bundle output; file transformation logic. | ai | |
| phantom-deps | phantom-dep:crypto-js | AI (phantom-deps): Declared dep used indirectly via bundled intlayer internals; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/esm/transformFiles/transformFiles.mjs | AI (source-diff): Standard rolldown/tsdown bundle output; ESM file transformer. | ai | |
| phantom-deps | phantom-dep:@intlayer/remote-dictionaries-entry | AI (phantom-deps): Same-org dep; phantom-dep heuristic false positive for bundled usage. | ai | |
| source-diff | obfuscated-file:dist/esm/init/utils/configManipulation.mjs | AI (source-diff): Standard rolldown minified ESM bundle; mirrors CJS configManipulation content. | ai | |
| source-diff | obfuscated-file:dist/esm/installSkills/index.mjs | AI (source-diff): Standard rolldown minified ESM bundle; mirrors CJS installSkills content. | ai | |
| phantom-deps | phantom-dep:recast | AI (phantom-deps): recast is used in bundled init/configManipulation code; phantom-dep is a false positive here. | ai | |
| phantom-deps | phantom-dep:zod-to-ts | AI (phantom-deps): New dep added in this version; phantom-dep heuristic false positive for bundled usage. | ai | |
| phantom-deps | phantom-dep:fast-glob | AI (phantom-deps): Established usage pattern in this package; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:simple-git | AI (phantom-deps): Established usage pattern in this package; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@intlayer/api | AI (phantom-deps): Same-org dep; phantom-dep heuristic false positive for bundled usage. | ai | |
| source-diff | obfuscated-file:dist/cjs/build.cjs | AI (source-diff): Standard rolldown minified bundle output for this package; content is legitimate intlayer build logic. | ai | |
| source-diff | obfuscated-file:dist/cjs/init/index.cjs | AI (source-diff): Standard rolldown minified bundle; content is legitimate intlayer init logic. | ai | |
| source-diff | obfuscated-file:dist/cjs/init/utils/configManipulation.cjs | AI (source-diff): Standard rolldown minified bundle; content is AST-based config manipulation using recast. | ai | |
| source-diff | obfuscated-file:dist/cjs/installSkills/index.cjs | AI (source-diff): Standard rolldown minified bundle; content is IDE skill file installation logic. | ai | |
| source-diff | obfuscated-file:dist/esm/build.mjs | AI (source-diff): Standard rolldown minified ESM bundle; mirrors CJS build.cjs content. | ai | |
| source-diff | obfuscated-file:dist/esm/init/index.mjs | AI (source-diff): Standard rolldown minified ESM bundle; mirrors CJS init/index.cjs content. | ai | |
| provenance | no-provenance | AI (provenance): Intlayer packages consistently publish without Sigstore provenance; stable false positive for this package family. | ai | |
| provenance | missing-githead | AI (provenance): Large monorepo with frequent releases; gitHead absence is a CI config artifact, not a security signal for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): defu is a well-known utility; replaces deepmerge in same-org monorepo context. | ai | |
| bogus-package | bogus-package | AI (bogus-package): README is copied from the intlayer monorepo root via prepublish; off-topic/link-dump signals are false positives for this package family. | ai | |
| phantom-deps | phantom-dep:@intlayer/unmerged-dictionaries-entry | AI (phantom-deps): Same-org sibling dep; phantom-dep heuristic false positive for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@intlayer/dictionaries-entry | AI (phantom-deps): Same-org sibling dep; phantom-dep heuristic false positive for this monorepo package. | ai | |
| phantom-deps | phantom-dep:defu | AI (phantom-deps): defu is a declared runtime dep; phantom-dep heuristic false positive for this package. | ai |
Versions (showing 51 of 116)
| Version | Deps | Published |
|---|---|---|
| 8.12.2 | 13 / 9 | |
| 8.12.1 | 13 / 9 | |
| 8.11.3 | 13 / 9 | |
| 8.11.2 | 13 / 9 | |
| 8.11.1 | 13 / 9 | |
| 8.11.0 | 13 / 9 | |
| 8.10.1 | 13 / 9 | |
| 8.10.0 | 13 / 9 | |
| 8.9.8 | 13 / 9 | |
| 8.9.7 | 13 / 9 | |
| 8.9.6 | 13 / 9 | |
| 8.9.5 | 13 / 9 | |
| 8.9.4 | 13 / 9 | |
| 8.9.3 | 13 / 9 | |
| 8.9.2 | 13 / 9 | |
| 8.9.1 | 13 / 9 | |
| 8.9.0 | 13 / 9 | |
| 8.8.0 | 13 / 9 | |
| 8.7.14 | 13 / 9 | |
| 8.7.13 | 13 / 9 | |
| 8.7.12 | 13 / 9 | |
| 8.7.11 | 13 / 9 | |
| 8.7.10 | 13 / 9 | |
| 8.7.9 | 13 / 9 | |
| 8.7.8 | 13 / 9 | |
| 8.7.7 | 13 / 9 | |
| 8.7.6 | 13 / 9 | |
| 8.7.5 | 13 / 9 | |
| 8.7.4 | 13 / 9 | |
| 8.7.2 | 13 / 9 | |
| 8.7.1 | 13 / 9 | |
| 8.7.0 | 13 / 9 | |
| 8.6.10 | 13 / 9 | |
| 8.6.9 | 13 / 9 | |
| 8.6.8 | 13 / 9 | |
| 8.6.7 | 13 / 9 | |
| 8.6.6 | 13 / 9 | |
| 8.6.5 | 13 / 9 | |
| 8.6.4 | 13 / 9 | |
| 8.6.3 | 13 / 9 | |
| 8.6.2 | 13 / 9 | |
| 8.6.1 | 13 / 9 | |
| 8.6.0 | 14 / 9 | |
| 8.5.2 | 14 / 9 | |
| 8.5.1 | 14 / 9 | |
| 8.5.0 | 14 / 9 | |
| 8.4.10 | 14 / 9 | |
| 8.4.9 | 14 / 9 | |
| 8.4.8 | 14 / 9 | |
| 8.4.7 | 14 / 9 | |
| 8.4.6 | 14 / 9 |
v8.12.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.11.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.11.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.11.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.10.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.9.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.9.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.9.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.9.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.9.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.9.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.9.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.9.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.7.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.7.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.7.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.7.10
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.7.9
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.7.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.7.7
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.7.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.7.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.7.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.7.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.7.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.7.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.6.10
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.6.9
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.6.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.6.7
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.6.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.6.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.6.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.6.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.6.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.6.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.6.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.5.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.5.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.5.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.4.10
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.4.9
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.4.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.4.7
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.4.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ay.pineau.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.