js-beautify
beautifier.io for node
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:config-chain | AI (phantom-deps): CLI tool dependency legitimately declared; used indirectly through config system. | ai | |
| phantom-deps | phantom-dep:mkdirp | AI (phantom-deps): CLI tool dependency legitimately declared; used indirectly through config system. | ai | |
| phantom-deps | phantom-dep:nopt | AI (phantom-deps): CLI tool dependency legitimately declared; used indirectly through config system. | ai | |
| phantom-deps | phantom-dep:editorconfig | AI (phantom-deps): CLI tool dependency legitimately declared; used indirectly through config system. | ai | |
| source-diff | obfuscated-file:js/lib/beautify-html.js | AI (source-diff): Auto-generated bundled output of js-beautify's HTML beautifier; long lines from concatenation, not obfuscation. | ai | |
| source-diff | obfuscated-file:js/src/core/acorn.js | AI (source-diff): Vendored Acorn parser with Unicode regex tables; long lines are character class data, not obfuscation. | ai | |
| source-diff | obfuscated-file:js/lib/beautify.js | AI (source-diff): Auto-generated bundled output of js-beautify's JS beautifier; long lines from concatenation, not obfuscation. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase from including generated bundles and test files in the package; expected for this project's build. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Project restructured build output in this version; new files are legitimate auto-generated bundles and tests. | ai | |
| source-diff | obfuscated-file:js/lib/beautify-css.js | AI (source-diff): Auto-generated bundled output of js-beautify's CSS beautifier; long lines from concatenation, not obfuscation. | ai | |
| source-diff | obfuscated-file:js/lib/beautifier.js | AI (source-diff): Webpack bundle output of js-beautify's source; standard UMD wrapper with __webpack_require__ bootstrap. Not obfuscated code. | ai | |
| provenance | publisher-changed | AI (provenance): bitwiseman (Liam Newman) is a listed contributor in package.json and has a strong npm track record (106 approved). Legitimate maintainer transition. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() is used intentionally in unpacker modules to deobfuscate packed JS — core functionality of js-beautify's unpacker feature, not a supply-chain risk. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance; publisher is well-established with strong track record. | ai | |
| source-diff | obfuscated-file:js/src/javascript/acorn.js | AI (source-diff): Vendored Acorn parser with Unicode regex tables for identifier matching; long lines are character class data, not obfuscation. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic requires use __dirname-based paths in test/unpacker modules — standard Node.js pattern, not arbitrary module loading. Stable FP for this package. | ai | |
| semgrep | semgrep:obfuscation-packer | AI (semgrep): js-beautify ships unpackers for obfuscated JS; these hits are test strings in the unpacker module, not actual obfuscation. Stable FP for this package. | ai | |
| phantom-deps | phantom-dep:js-cookie | AI (phantom-deps): js-cookie is declared in dependencies; it's used in browser context via bundling. Stable FP for this package. | ai |
Versions (showing 100 of 104)
| Version | Deps | Published |
|---|---|---|
| 2.0.3 | 5 / 13 | |
| 1.15.4 | 5 / 13 | |
| 1.15.3 | 5 / 13 | |
| 1.15.2 | 5 / 13 | |
| 1.15.1 | 5 / 13 | |
| 1.15.0 | 5 / 13 | |
| 1.14.11 | 4 / 13 | |
| 1.14.10 | 4 / 13 | |
| 1.14.9 | 4 / 13 | |
| 1.14.8 | 4 / 13 | |
| 1.14.7 | 4 / 13 | |
| 1.14.6 | 4 / 13 | |
| 1.14.5 | 4 / 13 | |
| 1.14.4 | 4 / 13 | |
| 1.14.3 | 4 / 13 | |
| 1.14.2 | 4 / 13 | |
| 1.14.1 | 5 / 13 | |
| 1.14.0 | 4 / 11 | |
| 1.13.13 | 5 / 11 | |
| 1.13.11 | 5 / 11 | |
| 1.13.8 | 5 / 11 | |
| 1.13.7 | 5 / 11 | |
| 1.13.6 | 5 / 11 | |
| 1.13.5 | 5 / 11 | |
| 1.13.4 | 5 / 11 | |
| 1.13.3 | 5 / 11 | |
| 1.13.2 | 5 / 11 | |
| 1.13.1 | 5 / 11 | |
| 1.13.0 | 5 / 11 | |
| 1.12.0 | 5 / 11 | |
| 1.11.0 | 5 / 11 | |
| 1.10.3 | 5 / 10 | |
| 1.10.2 | 5 / 10 | |
| 1.10.1 | 5 / 8 | |
| 1.10.0 | 5 / 8 | |
| 1.9.1 | 5 / 8 | |
| 1.9.0 | 5 / 8 | |
| 1.8.9 | 5 / 8 | |
| 1.8.8 | 4 / 8 | |
| 1.8.7 | 4 / 8 | |
| 1.8.6 | 4 / 8 | |
| 1.8.5 | 4 / 8 | |
| 1.8.4 | 4 / 8 | |
| 1.8.3 | 4 / 8 | |
| 1.8.1 | 4 / 8 | |
| 1.8.0 | 5 / 8 | |
| 1.7.5 | 4 / 6 | |
| 1.7.4 | 4 / 6 | |
| 1.7.3 | 4 / 6 | |
| 1.7.2 | 4 / 6 | |
| 1.7.1 | 4 / 6 | |
| 1.7.0 | 4 / 6 | |
| 1.6.14 | 4 / 5 | |
| 1.6.12 | 4 / 5 | |
| 1.6.11 | 4 / 5 | |
| 1.6.10 | 4 / 5 | |
| 1.6.9 | 4 / 5 | |
| 1.6.8 | 4 / 5 | |
| 1.6.7 | 4 / 5 | |
| 1.6.6 | 4 / 5 | |
| 1.6.5 | 4 / 5 | |
| 1.6.4 | 4 / 5 | |
| 1.6.3 | 3 / 5 | |
| 1.6.2 | 3 / 5 | |
| 1.6.1 | 3 / 5 | |
| 1.6.0 | 3 / 5 | |
| 1.5.10 | 3 / 5 | |
| 1.5.9 | 3 / 5 | |
| 1.5.8 | 3 / 5 | |
| 1.5.7 | 3 / 5 | |
| 1.5.6 | 3 / 5 | |
| 1.5.5 | 3 / 5 | |
| 1.5.4 | 3 / 4 | |
| 1.5.3 | 3 / 3 | |
| 1.5.2 | 3 / 3 | |
| 1.5.1 | 3 / 3 | |
| 1.4.2 | 3 / 2 | |
| 1.4.1 | 3 / 2 | |
| 1.4.0 | 3 / 1 | |
| 1.3.4 | 3 / 1 | |
| 1.3.3 | 2 / 1 | |
| 1.3.2 | 2 / 1 | |
| 1.3.1 | 2 / 1 | |
| 1.3.0 | 2 / 1 | |
| 1.2.0 | 2 / 1 | |
| 0.4.2 | 2 / 0 | |
| 0.4.1 | 2 / 0 | |
| 0.4.0 | 2 / 0 | |
| 0.3.9 | 2 / 0 | |
| 0.3.8 | 2 / 0 | |
| 0.3.7 | 2 / 0 | |
| 0.3.6 | 2 / 0 | |
| 0.3.5 | 2 / 0 | |
| 0.3.4 | 2 / 0 | |
| 0.3.3 | 2 / 0 | |
| 0.3.2 | 2 / 0 | |
| 0.3.1 | 2 / 0 | |
| 0.3.0 | 2 / 0 | |
| 0.2.4 | 1 / 0 | |
| 0.2.3 | 1 / 0 |
v2.0.3
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-06-30. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.