tsx
TypeScript Execute (tsx): Node.js enhanced with esbuild to run TypeScript & ESM files
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/register-CoxCwfHn.cjs | AI (source-diff): Minified bundle output; stable pattern for tsx. | ai | |
| source-diff | obfuscated-file:dist/register-D46fvsV_.cjs | AI (source-diff): Standard minified bundle output; stable pattern for tsx. | ai | |
| source-diff | obfuscated-file:dist/register-BXA4IaYH.cjs | AI (source-diff): Minified CJS register hook; standard build output. | ai | |
| source-diff | obfuscated-file:dist/index-gckBtVBf.cjs | AI (source-diff): Minified esbuild/rollup bundle; standard for this build-tool package. | ai | |
| source-diff | obfuscated-file:dist/index-7AaEi15b.mjs | AI (source-diff): ESM counterpart of the same minified bundle. | ai | |
| source-diff | obfuscated-file:dist/register-CuoYSLaL.mjs | AI (source-diff): ESM counterpart of register CJS bundle; same pattern. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Restructured dist output with hash-based filenames; stable pattern for tsx. | ai | |
| source-diff | obfuscated-file:dist/lexer-DQCqS3nf.mjs | AI (source-diff): ESM counterpart of lexer CJS bundle; same pattern. | ai | |
| source-diff | obfuscated-file:dist/index-CylV0-__.cjs | AI (source-diff): Bundled esbuild output with readable identifiers; standard for this package. | ai | |
| source-diff | obfuscated-file:dist/lexer-DgIbo0BU.cjs | AI (source-diff): Bundled es-module-lexer WASM loader; standard minified output. | ai | |
| source-diff | obfuscated-file:dist/register-D2KMMyKp.cjs | AI (source-diff): Bundled CJS register hook; readable minified code. | ai | |
| source-diff | obfuscated-file:dist/index-DGv_vkxZ.mjs | AI (source-diff): ESM counterpart of index CJS bundle; same pattern. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): tsx is a well-known TypeScript runner with its own identity; the Levenshtein match to 'qs' is a false positive — these packages serve entirely different purposes. | ai | |
| provenance | no-provenance | AI (provenance): tsx is a legitimate, established package; lack of provenance attestation is common and not a risk signal here. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 4.21.0 | 2 / 0 | |
| 4.20.6 | 2 / 0 | |
| 4.20.5 | 2 / 0 | |
| 4.20.4 | 2 / 0 | |
| 4.20.3 | 2 / 0 | |
| 4.20.2 | 2 / 0 | |
| 4.20.1 | 2 / 0 | |
| 4.20.0 | 2 / 0 | |
| 4.19.4 | 2 / 0 | |
| 4.11.2 | 2 / 0 |
v4.21.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.20.6
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.20.5
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.20.4
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.20.3
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.20.2
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.20.1
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.20.0
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.19.4
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.