jshint
Static analysis tool for JavaScript
51
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
jugglinmikeantonkovalyovrwaldron
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | url-dep:esprima | AI (npm-metadata): Historical artifact of early JSHint versions when esprima wasn't on npm; not a malicious signal for this well-established package. | ai | |
| source-diff | net-exec-file:dist/jshint.js | AI (source-diff): dist/jshint.js is JSHint's standard browserify build artifact. The 'network+exec' pattern is the browserify module loader, not malware. Stable false positive for this package. | ai | |
| source-diff | net-exec-file:dist/jshint-rhino.js | AI (source-diff): dist/jshint-rhino.js is JSHint's standard browserify build artifact for Rhino environments. The 'network+exec' pattern is the browserify module loader, not malware. Stable false positive for this package. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is explained by addition of two large dist/ build artifacts (~741KB + ~738KB), which are expected compiled outputs for a linter shipping browser/Rhino builds. | ai | |
| provenance | publisher-changed | AI (provenance): The antonkovalyov → rwaldron transition in 2014 is a well-documented legitimate maintainer handoff for the JSHint project; stable historical fact for this package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): rwaldron is a known JS community contributor; this maintainer addition in 2014 is a legitimate historical transition, not a compromise. | ai | |
| source-diff | obfuscated-file:data/es5-identifier-names.js | AI (source-diff): This file is a generated regex of Unicode character ranges for ES5 identifier validation — long lines are inherent to the data format, not obfuscation. Stable false positive for jshint. | ai | |
| typosquat | typosquat.levenshtein:eslint | AI (typosquat): JSHint is a well-known, long-established JS linting tool that predates ESLint. The name similarity is coincidental; this is not a typosquat. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): htmlparser2 is a well-established HTML parser added for inline HTML linting support. No malicious history; legitimate feature addition. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in JSHint's CLI is used to load user config files (jshintConfig). This is the documented config-loading mechanism, not arbitrary code execution. | ai |
Versions (showing 51 of 95)
| Version | Deps | Published |
|---|---|---|
| 2.13.6 | 7 / 16 | |
| 2.13.5 | 7 / 16 | |
| 2.13.4 | 7 / 16 | |
| 2.13.3 | 8 / 16 | |
| 2.13.2 | 8 / 16 | |
| 2.13.1 | 8 / 16 | |
| 2.13.0 | 8 / 16 | |
| 2.12.0 | 8 / 16 | |
| 2.11.2 | 8 / 16 | |
| 2.11.1 | 8 / 16 | |
| 2.11.0 | 8 / 17 | |
| 2.10.3 | 8 / 17 | |
| 2.10.2 | 8 / 17 | |
| 2.10.1 | 8 / 17 | |
| 2.10.0 | 8 / 17 | |
| 2.9.7 | 8 / 17 | |
| 2.9.6 | 11 / 14 | |
| 2.9.5 | 8 / 14 | |
| 2.9.4 | 8 / 13 | |
| 2.9.3 | 8 / 14 | |
| 2.9.2 | 8 / 14 | |
| 2.9.1 | 8 / 14 | |
| 2.8.0 | 8 / 10 | |
| 2.7.0 | 8 / 10 | |
| 2.6.3 | 8 / 10 | |
| 2.6.2 | 8 / 10 | |
| 2.6.1 | 8 / 10 | |
| 2.6.0 | 8 / 10 | |
| 2.5.11 | 8 / 9 | |
| 2.5.10 | 8 / 8 | |
| 2.5.9 | 8 / 8 | |
| 2.5.8 | 8 / 8 | |
| 2.5.7 | 8 / 8 | |
| 2.5.6 | 8 / 7 | |
| 2.5.5 | 8 / 7 | |
| 2.5.4 | 8 / 7 | |
| 2.5.3 | 8 / 7 | |
| 2.5.2 | 8 / 7 | |
| 2.5.1 | 8 / 7 | |
| 2.5.0 | 8 / 8 | |
| 2.4.4 | 7 / 8 | |
| 2.4.3 | 6 / 8 | |
| 2.4.2 | 6 / 8 | |
| 2.4.1 | 6 / 8 | |
| 2.4.0 | 6 / 8 | |
| 2.3.0 | 5 / 8 | |
| 2.2.0 | 5 / 8 | |
| 2.1.11 | 5 / 6 | |
| 2.1.10 | 5 / 6 | |
| 2.1.9 | 5 / 6 | |
| 2.1.8 | 5 / 6 |