← Home

uglify-es

npm Repository Homepage

JavaScript parser, mangler/compressor and beautifier toolkit for ES6+

50
Versions
BSD-2-Clause
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

alexlamsl

Keywords

uglifyuglify-esuglify-jsminifyminifierjavascriptecmascriptes5es6es7es8es2015es2016es2017asyncawait

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:new-function-constructor AI (semgrep): new Function() in lib/ast.js is an established internal pattern for building prototype chains in UglifyJS's AST infrastructure; input is internally generated, not user-controlled. ai
phantom-deps phantom-dep:commander AI (phantom-deps): commander is a declared runtime dependency used by the CLI bin script; the phantom-dep finding is a false positive for this CLI tool's architecture. ai

Versions (showing 50 of 50)

Version Deps Published
3.3.10 2 / 3
3.3.9 2 / 3
3.3.8 2 / 3
3.3.7 2 / 3
3.3.6 2 / 3
3.3.5 2 / 3
3.3.4 2 / 3
3.3.3 2 / 3
3.3.2 2 / 3
3.3.1 2 / 3
3.3.0 2 / 3
3.2.2 2 / 3
3.2.1 2 / 3
3.2.0 2 / 3
3.1.10 2 / 3
3.1.9 2 / 3
3.1.8 2 / 3
3.1.7 2 / 3
3.1.6 2 / 3
3.1.5 2 / 3
3.1.4 2 / 3
3.1.3 2 / 3
3.1.2 2 / 3
3.1.1 2 / 3
3.1.0 2 / 3
3.0.28 2 / 3
3.0.27 2 / 3
3.0.26 2 / 3
3.0.25 2 / 3
3.0.24 2 / 3
3.0.23 2 / 3
3.0.22 2 / 3
3.0.21 2 / 3
3.0.20 2 / 3
3.0.19 2 / 3
3.0.18 2 / 3
3.0.17 2 / 3
3.0.15 2 / 3
3.0.14 2 / 3
3.0.13 2 / 3
3.0.12 2 / 3
3.0.11 2 / 3
3.0.10 2 / 3
3.0.9 2 / 3
3.0.8 2 / 3
3.0.7 2 / 2
3.0.5 2 / 2
3.0.4 3 / 5
3.0.3 3 / 5
3.0.2 3 / 5