vscode-languageclient
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:child-process-import | AI (semgrep): Core functionality: this package spawns language server processes by design. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): Spawning language server subprocesses is the primary purpose of this library. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Env enumeration is used to pass environment to child language server processes, a documented and expected pattern. | ai |
v10.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (microsoft1es) than the most recent previously approved version (vscode-bot) on 2026-06-03, but microsoft1es is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.