@sroussey/json-schema-library

Customizable and hackable json-validator and json-schema utilities for traversal, data generation and validation

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

sroussey

Keywords

JSONschemacustomizelibrarytoolsutilitiesvalidatorvalidationjsonschemajson-schemajson-schema-validatorjson-schema-validationmake my day

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:lodash	AI (phantom-deps): lodash is a declared runtime dep; phantom detection likely due to indirect usage or build artifact analysis. No security concern.	ai	2026/04/26
install-scripts	install-script:preinstall	AI (install-scripts): Preinstall runs 'npx only-allow yarn' — a standard package manager enforcement idiom with no security risk. Stable for this package.	ai	2026/04/26
dependencies	unvetted-dep:smtp-address-parser	AI (dependencies): smtp-address-parser is a legitimate dependency for JSON schema email validation; no malicious signals.	ai	2026/04/26
phantom-deps	phantom-dep:@sagold/json-query	AI (phantom-deps): May be used indirectly or via re-exports; not a security concern for this package.	ai	2026/04/26
dependencies	unvetted-dep:@sagold/json-query	AI (dependencies): @sagold/json-query is from the same author ecosystem as this package; legitimate dependency.	ai	2026/04/26
phantom-deps	phantom-dep:deepmerge	AI (phantom-deps): deepmerge is declared in dependencies and resolutions; phantom detection is a false positive for this package.	ai	2026/04/26
provenance	no-provenance	AI (provenance): Lack of provenance is common and not a risk signal for this package; no other concerning indicators present.	ai	2026/04/25

Versions (showing 4 of 4)

Version	Deps	Published
11.4.0	6 / 17	2026-04-24
11.0.0	9 / 15	2026-03-04
10.5.3	8 / 19	2025-12-30
10.5.2	8 / 19	2025-12-30

v11.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v11.0.0

2 findings

HIGH Package has 'preinstall' script install-scripts

Script: npx only-allow yarn

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v10.5.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v10.5.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.