@astrojs/mdx
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): withastro migrated to GitHub Actions CI/CD publishing; SLSA provenance attestation confirms builds from the official repo. This transition is stable for the package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of individual maintainers reflects withastro org's shift to automated GitHub Actions publishing, not a takeover. SLSA attestation confirms legitimate origin. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Apparent dormancy is an artifact of the approval pipeline's diff baseline, not real inactivity. @astrojs/mdx is actively maintained in the withastro/astro monorepo with 242 registry versions. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): picocolors replaces kleur — both are well-known, minimal color utility libraries. picocolors is widely trusted (used by Vite, PostCSS). No security concern. | ai | |
| dependencies | unvetted-dep:remark-smartypants | AI (dependencies): remark-smartypants is a standard remark ecosystem package; its use in an official Astro integration is expected and appropriate. | ai | |
| dependencies | unvetted-dep:@astrojs/markdown-remark | AI (dependencies): @astrojs/markdown-remark is a sibling official Astro package; its use as a dependency of @astrojs/mdx is expected and appropriate. | ai | |
| typosquat | typosquat.levenshtein:mobx | AI (typosquat): @astrojs/mdx is the official Astro MDX integration under the withastro org; Levenshtein match to 'mobx' is purely coincidental and not a credible typosquat signal. | ai |
Versions (showing 16 of 16)
| Version | Deps | Published |
|---|---|---|
| 6.0.1 | 14 / 21 | |
| 6.0.0 | 14 / 21 | |
| 5.0.6 | 13 / 19 | |
| 5.0.5 | 13 / 19 | |
| 5.0.4 | 13 / 19 | |
| 5.0.3 | 13 / 19 | |
| 5.0.2 | 13 / 19 | |
| 5.0.1 | 13 / 19 | |
| 5.0.0 | 13 / 19 | |
| 4.3.14 | 13 / 18 | |
| 4.3.13 | 13 / 18 | |
| 4.3.12 | 13 / 18 | |
| 4.3.11 | 13 / 18 | |
| 4.3.10 | 13 / 18 | |
| 4.3.9 | 13 / 18 | |
| 4.0.8 | 13 / 19 |
v6.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.3
2 findingsThis version was published by a different npm account than previous versions on 2026-03-26. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.2
2 findingsThis version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.1
2 findingsThis version was published by a different npm account than previous versions on 2026-03-16. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.3.14
2 findingsThis version was published by a different npm account than previous versions on 2026-03-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.3.13
2 findingsThis version was published by a different npm account than previous versions on 2025-12-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.3.12
2 findingsThis version was published by a different npm account than previous versions on 2025-11-20. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.3.11
2 findingsThis version was published by a different npm account than previous versions on 2025-11-17. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.3.10
2 findingsThis version was published by a different npm account than previous versions on 2025-11-06. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.3.9
2 findingsThis version was published by a different npm account than previous versions on 2025-10-28. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.