scratch-l10n — Greenflagged

Localization for the Scratch 3.0 components

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

cwillisf.scratch

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:tsx	AI (phantom-deps): tsx is the TypeScript runner for .mts bin scripts; not imported in library source but legitimately used.	ai	2026/05/09
phantom-deps	phantom-dep:async	AI (phantom-deps): Used in build/translation scripts; stable false positive for this package.	ai	2026/05/09
phantom-deps	phantom-dep:mkdirp	AI (phantom-deps): Used in clean script; stable false positive for this package.	ai	2026/05/09
phantom-deps	phantom-dep:@transifex/api	AI (phantom-deps): Used in tx-push/pull scripts; stable false positive for this package.	ai	2026/05/09
phantom-deps	phantom-dep:lodash.defaultsdeep	AI (phantom-deps): Used in build scripts; stable false positive for this package.	ai	2026/05/09
phantom-deps	phantom-dep:format-message-parse	AI (phantom-deps): Used in validation/build scripts; stable false positive for this package.	ai	2026/05/09
phantom-deps	phantom-dep:glob	AI (phantom-deps): Referenced in config/scripts; stable false positive for this package.	ai	2026/05/09
phantom-deps	phantom-dep:transifex	AI (phantom-deps): Referenced in tx scripts; stable false positive for this package.	ai	2026/05/09

Versions (showing 7 of 7)

Version	Deps	Published
6.1.85	8 / 31	2026-06-03
6.1.84	8 / 31	2026-05-25
6.1.82	8 / 31	2026-05-22
6.1.80	8 / 31	2026-05-21
6.1.78	8 / 31	2026-05-20
6.1.77	8 / 31	2026-05-17
6.1.75	8 / 31	2026-05-03

v6.1.85

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.1.84

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.1.82

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.1.80

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.1.78

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.1.77

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.1.75

7 findings

HIGH Phantom dependency: tsx phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: async phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: mkdirp phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: @transifex/api phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: lodash.defaultsdeep phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: format-message-parse phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.