putout
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@putout/processor-css | AI (dependencies): First-party @putout scoped package; consistent with putout's plugin ecosystem pattern. | ai | |
| phantom-deps | phantom-dep:is-relative | AI (phantom-deps): Same dynamic-loading pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:@putout/cli-cache | AI (phantom-deps): First-party sub-package loaded dynamically; stable false positive. | ai | |
| phantom-deps | phantom-dep:@putout/cli-match | AI (phantom-deps): First-party sub-package loaded dynamically; stable false positive. | ai | |
| phantom-deps | phantom-dep:find-up | AI (phantom-deps): putout loads plugins/formatters dynamically; phantom-dep heuristic is a stable false positive for this monorepo. | ai | |
| phantom-deps | phantom-dep:@putout/cli-ruler | AI (phantom-deps): First-party sub-package loaded dynamically; stable false positive. | ai | |
| provenance | no-provenance | AI (provenance): Established package; lack of provenance is common and not a risk signal here. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads user-controlled PUTOUT_CONFIG_FILE env var path — intentional config-loading pattern for this tool. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 42.4.5 | 154 / 13 | |
| 42.4.3 | 154 / 13 | |
| 42.0.21 | 150 / 13 | |
| 42.0.20 | 150 / 13 | |
| 42.0.16 | 150 / 13 | |
| 41.23.0 | 148 / 13 | |
| 41.21.1 | 147 / 13 | |
| 41.15.0 | 146 / 13 | |
| 41.13.0 | 146 / 13 | |
| 41.12.0 | 147 / 13 | |
| 41.11.0 | 147 / 13 | |
| 41.10.1 | 147 / 13 | |
| 41.9.2 | 147 / 13 | |
| 41.7.0 | 145 / 12 |
v42.4.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v42.4.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v42.0.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v42.0.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v42.0.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v41.23.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v41.21.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v41.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v41.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v41.12.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v41.11.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v41.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v41.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v41.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.