es-toolkit
A state-of-the-art, high-performance JavaScript utility library with a small bundle size and strong type annotations.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/browser.global.js | AI (source-diff): dist/browser.global.js is the package's documented browser bundle entry point, produced by rollup+terser. The sample shows readable utility function names with no malicious patterns. Stable for this package. | ai | |
| provenance | publisher-changed | AI (provenance): Transition from toss-build-bot to GitHub Actions with SLSA provenance attestation is a supply chain improvement, not a compromise indicator. Consistent with toss/es-toolkit repo. | ai | |
| source-diff | large-new-source-files | AI (source-diff): es-toolkit is an actively developed utility library with 1497 versions; adding new utility functions (108 files) is expected growth, verified by SLSA provenance. | ai |
Versions (showing 93 of 493)
v1.37.2-dev.1269
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.37.2-dev.1265
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.37.2-dev.1264
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.37.0-dev.1243
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.36.0-dev.1240
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.35.0-dev.1214
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.35.0-dev.1202
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.