← Home

@vscode/ripgrep

npm Repository Homepage
3
Versions
License
Yes
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

kaimaetzellszomorualexandrudimasbattenjoaomoreno.msmicrosoft1esrebornixvscode-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:@vscode/ripgrep-linux-riscv64 AI (phantom-deps): Optional platform binary package; resolved at runtime by platform detection, not direct import. ai
phantom-deps phantom-dep:@vscode/ripgrep-linux-s390x AI (phantom-deps): Optional platform binary package; resolved at runtime by platform detection, not direct import. ai
phantom-deps phantom-dep:@vscode/ripgrep-win32-arm64 AI (phantom-deps): Optional platform binary package; resolved at runtime by platform detection, not direct import. ai
phantom-deps phantom-dep:@vscode/ripgrep-darwin-arm64 AI (phantom-deps): Optional platform binary package; resolved at runtime by platform detection, not direct import. ai
publish-pattern dormant-publish AI (publish-pattern): Long-dormant Microsoft package resuming with a clean architectural refactor; publisher has strong track record. ai
publish-pattern new-deps-added AI (publish-pattern): New deps are @vscode/* platform-specific optional binary packages replacing the old postinstall download pattern. ai
source-diff source-size-dropped AI (source-diff): Size drop explained by removal of download/install scripts; logic moved to platform-specific optional dep packages. ai
phantom-deps phantom-dep:@vscode/ripgrep-linux-arm AI (phantom-deps): Optional platform binary package; resolved at runtime by platform detection, not direct import. ai
phantom-deps phantom-dep:@vscode/ripgrep-linux-x64 AI (phantom-deps): Optional platform binary package; resolved at runtime by platform detection, not direct import. ai
phantom-deps phantom-dep:@vscode/ripgrep-win32-x64 AI (phantom-deps): Optional platform binary package; resolved at runtime by platform detection, not direct import. ai
phantom-deps phantom-dep:@vscode/ripgrep-darwin-x64 AI (phantom-deps): Optional platform binary package; resolved at runtime by platform detection, not direct import. ai
phantom-deps phantom-dep:@vscode/ripgrep-linux-ia32 AI (phantom-deps): Optional platform binary package; resolved at runtime by platform detection, not direct import. ai
phantom-deps phantom-dep:@vscode/ripgrep-win32-ia32 AI (phantom-deps): Optional platform binary package; resolved at runtime by platform detection, not direct import. ai
phantom-deps phantom-dep:@vscode/ripgrep-linux-arm64 AI (phantom-deps): Optional platform binary package; resolved at runtime by platform detection, not direct import. ai
phantom-deps phantom-dep:@vscode/ripgrep-linux-ppc64 AI (phantom-deps): Optional platform binary package; resolved at runtime by platform detection, not direct import. ai
semgrep semgrep:child-process-import AI (semgrep): child_process used solely to run 'tar' for binary extraction; benign and stable for this package. ai
semgrep semgrep:child-process-spawn AI (semgrep): Spawns 'tar' to extract downloaded ripgrep archive; expected behavior for this native binary package. ai
install-scripts install-script:postinstall AI (install-scripts): Documented prebuilt-binary download for ripgrep; stable pattern for this Microsoft-published package. ai

Versions (showing 3 of 3)

Version Deps Published
1.18.0 12 / 0
1.17.1 3 / 1
1.15.14 3 / 1

v1.18.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.15.14

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.