← Home

js-beautify

beautifier.io for node

4
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

evocateurbitwiseman

Keywords

beautifybeautifiercode-quality

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:config-chain AI (phantom-deps): CLI tool dependency legitimately declared; used indirectly through config system. ai
phantom-deps phantom-dep:mkdirp AI (phantom-deps): CLI tool dependency legitimately declared; used indirectly through config system. ai
phantom-deps phantom-dep:nopt AI (phantom-deps): CLI tool dependency legitimately declared; used indirectly through config system. ai
phantom-deps phantom-dep:editorconfig AI (phantom-deps): CLI tool dependency legitimately declared; used indirectly through config system. ai
source-diff obfuscated-file:js/lib/beautify-html.js AI (source-diff): Auto-generated bundled output of js-beautify's HTML beautifier; long lines from concatenation, not obfuscation. ai
source-diff obfuscated-file:js/src/core/acorn.js AI (source-diff): Vendored Acorn parser with Unicode regex tables; long lines are character class data, not obfuscation. ai
source-diff obfuscated-file:js/lib/beautify.js AI (source-diff): Auto-generated bundled output of js-beautify's JS beautifier; long lines from concatenation, not obfuscation. ai
source-diff source-size-tripled AI (source-diff): Size increase from including generated bundles and test files in the package; expected for this project's build. ai
source-diff large-new-source-files AI (source-diff): Project restructured build output in this version; new files are legitimate auto-generated bundles and tests. ai
source-diff obfuscated-file:js/lib/beautify-css.js AI (source-diff): Auto-generated bundled output of js-beautify's CSS beautifier; long lines from concatenation, not obfuscation. ai
source-diff obfuscated-file:js/lib/beautifier.js AI (source-diff): Webpack bundle output of js-beautify's source; standard UMD wrapper with __webpack_require__ bootstrap. Not obfuscated code. ai
provenance publisher-changed AI (provenance): bitwiseman (Liam Newman) is a listed contributor in package.json and has a strong npm track record (106 approved). Legitimate maintainer transition. ai
semgrep semgrep:eval-usage AI (semgrep): eval() is used intentionally in unpacker modules to deobfuscate packed JS — core functionality of js-beautify's unpacker feature, not a supply-chain risk. ai
provenance no-provenance AI (provenance): Package predates Sigstore provenance; publisher is well-established with strong track record. ai
source-diff obfuscated-file:js/src/javascript/acorn.js AI (source-diff): Vendored Acorn parser with Unicode regex tables for identifier matching; long lines are character class data, not obfuscation. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic requires use __dirname-based paths in test/unpacker modules — standard Node.js pattern, not arbitrary module loading. Stable FP for this package. ai
semgrep semgrep:obfuscation-packer AI (semgrep): js-beautify ships unpackers for obfuscated JS; these hits are test strings in the unpacker module, not actual obfuscation. Stable FP for this package. ai
phantom-deps phantom-dep:js-cookie AI (phantom-deps): js-cookie is declared in dependencies; it's used in browser context via bundling. Stable FP for this package. ai

Versions (showing 4 of 104)

Version Deps Published
0.2.2 1 / 0
0.2.1 1 / 0
0.2.0 1 / 0
0.1.8 1 / 0

v0.2.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.8

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.