js-beautify
beautifier.io for node
51
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
evocateurbitwiseman
Keywords
beautifybeautifiercode-quality
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:config-chain | AI (phantom-deps): CLI tool dependency legitimately declared; used indirectly through config system. | ai | |
| phantom-deps | phantom-dep:mkdirp | AI (phantom-deps): CLI tool dependency legitimately declared; used indirectly through config system. | ai | |
| phantom-deps | phantom-dep:nopt | AI (phantom-deps): CLI tool dependency legitimately declared; used indirectly through config system. | ai | |
| phantom-deps | phantom-dep:editorconfig | AI (phantom-deps): CLI tool dependency legitimately declared; used indirectly through config system. | ai | |
| source-diff | obfuscated-file:js/lib/beautify-html.js | AI (source-diff): Auto-generated bundled output of js-beautify's HTML beautifier; long lines from concatenation, not obfuscation. | ai | |
| source-diff | obfuscated-file:js/src/core/acorn.js | AI (source-diff): Vendored Acorn parser with Unicode regex tables; long lines are character class data, not obfuscation. | ai | |
| source-diff | obfuscated-file:js/lib/beautify.js | AI (source-diff): Auto-generated bundled output of js-beautify's JS beautifier; long lines from concatenation, not obfuscation. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase from including generated bundles and test files in the package; expected for this project's build. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Project restructured build output in this version; new files are legitimate auto-generated bundles and tests. | ai | |
| source-diff | obfuscated-file:js/lib/beautify-css.js | AI (source-diff): Auto-generated bundled output of js-beautify's CSS beautifier; long lines from concatenation, not obfuscation. | ai | |
| source-diff | obfuscated-file:js/lib/beautifier.js | AI (source-diff): Webpack bundle output of js-beautify's source; standard UMD wrapper with __webpack_require__ bootstrap. Not obfuscated code. | ai | |
| provenance | publisher-changed | AI (provenance): bitwiseman (Liam Newman) is a listed contributor in package.json and has a strong npm track record (106 approved). Legitimate maintainer transition. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() is used intentionally in unpacker modules to deobfuscate packed JS — core functionality of js-beautify's unpacker feature, not a supply-chain risk. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance; publisher is well-established with strong track record. | ai | |
| source-diff | obfuscated-file:js/src/javascript/acorn.js | AI (source-diff): Vendored Acorn parser with Unicode regex tables for identifier matching; long lines are character class data, not obfuscation. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic requires use __dirname-based paths in test/unpacker modules — standard Node.js pattern, not arbitrary module loading. Stable FP for this package. | ai | |
| semgrep | semgrep:obfuscation-packer | AI (semgrep): js-beautify ships unpackers for obfuscated JS; these hits are test strings in the unpacker module, not actual obfuscation. Stable FP for this package. | ai | |
| phantom-deps | phantom-dep:js-cookie | AI (phantom-deps): js-cookie is declared in dependencies; it's used in browser context via bundling. Stable FP for this package. | ai |
Versions (showing 51 of 104)
| Version | Deps | Published |
|---|---|---|
| 2.0.3 | 5 / 13 | |
| 1.15.4 | 5 / 13 | |
| 1.15.3 | 5 / 13 | |
| 1.15.2 | 5 / 13 | |
| 1.15.1 | 5 / 13 | |
| 1.15.0 | 5 / 13 | |
| 1.14.11 | 4 / 13 | |
| 1.14.10 | 4 / 13 | |
| 1.14.9 | 4 / 13 | |
| 1.14.8 | 4 / 13 | |
| 1.14.7 | 4 / 13 | |
| 1.14.6 | 4 / 13 | |
| 1.14.5 | 4 / 13 | |
| 1.14.4 | 4 / 13 | |
| 1.14.3 | 4 / 13 | |
| 1.14.2 | 4 / 13 | |
| 1.14.1 | 5 / 13 | |
| 1.14.0 | 4 / 11 | |
| 1.13.13 | 5 / 11 | |
| 1.13.11 | 5 / 11 | |
| 1.13.8 | 5 / 11 | |
| 1.13.7 | 5 / 11 | |
| 1.13.6 | 5 / 11 | |
| 1.13.5 | 5 / 11 | |
| 1.13.4 | 5 / 11 | |
| 1.13.3 | 5 / 11 | |
| 1.13.2 | 5 / 11 | |
| 1.13.1 | 5 / 11 | |
| 1.13.0 | 5 / 11 | |
| 1.12.0 | 5 / 11 | |
| 1.11.0 | 5 / 11 | |
| 1.10.3 | 5 / 10 | |
| 1.10.2 | 5 / 10 | |
| 1.10.1 | 5 / 8 | |
| 1.10.0 | 5 / 8 | |
| 1.9.1 | 5 / 8 | |
| 1.9.0 | 5 / 8 | |
| 1.8.9 | 5 / 8 | |
| 1.8.8 | 4 / 8 | |
| 1.8.7 | 4 / 8 | |
| 1.8.6 | 4 / 8 | |
| 1.8.5 | 4 / 8 | |
| 1.8.4 | 4 / 8 | |
| 1.8.3 | 4 / 8 | |
| 1.8.1 | 4 / 8 | |
| 1.8.0 | 5 / 8 | |
| 1.7.5 | 4 / 6 | |
| 1.7.4 | 4 / 6 | |
| 1.7.3 | 4 / 6 | |
| 1.7.2 | 4 / 6 | |
| 1.7.1 | 4 / 6 |
v2.0.3
2 findings
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
INFO
Publisher changed: bitwiseman → GitHub Actions (on 2026-06-30)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2026-06-30. This could indicate a legitimate maintainer transition or an account compromise.