@parcel/optimizer-htmlnano
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:svgo | AI (dependencies): svgo is a well-known SVG optimizer and a legitimate dependency for an HTML optimizer plugin in the Parcel ecosystem. No malicious signals. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Monorepo package from the official Parcel bundler; missing description is a consistent pattern across @parcel/* scoped packages, not a malicious signal. | ai | |
| provenance | no-provenance | AI (provenance): Published in 2022 before provenance attestation was standard practice; absence is expected for this package version. | ai | |
| phantom-deps | phantom-dep:svgo | AI (phantom-deps): svgo is a legitimate declared dependency used via config in this HTML optimizer plugin; phantom detection is a false positive for this package's architecture. | ai | |
| phantom-deps | phantom-dep:nullthrows | AI (phantom-deps): nullthrows is a legitimate declared dependency used via config; phantom detection is a false positive for this plugin package. | ai |
Versions (showing 34 of 34)
| Version | Deps | Published |
|---|---|---|
| 2.16.4 | 6 / 1 | |
| 2.16.3 | 6 / 1 | |
| 2.16.2 | 6 / 1 | |
| 2.16.1 | 6 / 1 | |
| 2.16.0 | 6 / 1 | |
| 2.15.4 | 6 / 1 | |
| 2.15.3 | 6 / 1 | |
| 2.15.2 | 6 / 1 | |
| 2.15.1 | 6 / 1 | |
| 2.15.0 | 6 / 1 | |
| 2.14.4 | 6 / 1 | |
| 2.14.3 | 6 / 1 | |
| 2.14.2 | 6 / 1 | |
| 2.14.1 | 6 / 1 | |
| 2.14.0 | 6 / 1 | |
| 2.13.3 | 6 / 1 | |
| 2.13.2 | 6 / 1 | |
| 2.13.1 | 6 / 1 | |
| 2.13.0 | 6 / 1 | |
| 2.10.0 | 5 / 0 | |
| 2.9.2 | 5 / 0 | |
| 2.9.1 | 5 / 0 | |
| 2.8.3 | 5 / 0 | |
| 2.7.0 | 5 / 0 | |
| 2.6.0 | 5 / 0 | |
| 2.5.0 | 5 / 0 | |
| 2.4.1 | 5 / 0 | |
| 2.4.0 | 5 / 0 | |
| 2.3.1 | 5 / 0 | |
| 2.3.0 | 5 / 0 | |
| 2.2.0 | 5 / 0 | |
| 2.1.1 | 5 / 0 | |
| 2.0.1 | 5 / 0 | |
| 2.0.0 | 5 / 0 |
v2.16.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.16.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.16.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.16.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.15.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.15.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.15.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.15.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.14.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.14.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.14.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.14.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.13.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.13.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.