@atlaskit/editor-json-transformer
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher change reflects Atlassian's migration to atlassianartifactteam; stable for this package family. | ai | |
| provenance | missing-githead | AI (provenance): Changed publish environment due to org migration; no malicious signal given the publisher's track record. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): Atlassian org restructure; atlaskit-user confirmed as known maintainer by email match on prior approved versions. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are Atlassian org accounts; legitimate org-level publisher migration. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Old atlaskit account replaced by org accounts; consistent with Atlassian's known migration pattern. | ai | |
| dependencies | unvetted-dep:@atlaskit/adf-schema | AI (dependencies): @atlaskit/adf-schema is a first-party Atlassian package, expected dependency for this editor transformer. | ai | |
| dependencies | unvetted-dep:@atlaskit/adf-utils | AI (dependencies): @atlaskit/adf-utils is a first-party Atlassian package, expected dependency for this editor transformer. | ai | |
| dependencies | unvetted-dep:@atlaskit/editor-prosemirror | AI (dependencies): @atlaskit/editor-prosemirror is a first-party Atlassian package, expected dependency for this editor transformer. | ai | |
| provenance | no-provenance | AI (provenance): Atlassian's atlassianartifactteam publisher has 98 approved packages; lack of provenance is consistent across their entire catalog and not a meaningful risk signal for this established package. | ai |
Versions (showing 51 of 65)
| Version | Deps | Published |
|---|---|---|
| 8.33.2 | 5 / 3 | |
| 8.33.1 | 5 / 3 | |
| 8.33.0 | 5 / 3 | |
| 8.32.0 | 5 / 3 | |
| 8.31.8 | 5 / 2 | |
| 8.31.7 | 5 / 2 | |
| 8.31.6 | 5 / 2 | |
| 8.31.5 | 5 / 2 | |
| 8.31.4 | 5 / 1 | |
| 8.31.3 | 5 / 1 | |
| 8.31.2 | 5 / 1 | |
| 8.31.1 | 5 / 1 | |
| 8.31.0 | 5 / 1 | |
| 8.30.0 | 5 / 1 | |
| 8.29.1 | 5 / 1 | |
| 8.29.0 | 5 / 1 | |
| 8.28.0 | 5 / 1 | |
| 8.27.2 | 5 / 1 | |
| 8.27.1 | 5 / 1 | |
| 8.27.0 | 5 / 1 | |
| 8.26.1 | 5 / 1 | |
| 8.26.0 | 5 / 1 | |
| 8.25.1 | 5 / 2 | |
| 8.25.0 | 5 / 2 | |
| 8.24.5 | 5 / 2 | |
| 8.24.4 | 5 / 2 | |
| 8.24.3 | 5 / 2 | |
| 8.24.2 | 6 / 2 | |
| 8.24.1 | 6 / 2 | |
| 8.24.0 | 6 / 2 | |
| 8.23.1 | 6 / 3 | |
| 8.23.0 | 6 / 3 | |
| 8.22.2 | 6 / 3 | |
| 8.22.1 | 6 / 3 | |
| 8.22.0 | 6 / 3 | |
| 8.21.2 | 6 / 3 | |
| 8.21.1 | 6 / 3 | |
| 8.21.0 | 6 / 3 | |
| 8.20.4 | 5 / 4 | |
| 8.20.3 | 5 / 4 | |
| 8.20.2 | 5 / 4 | |
| 8.20.1 | 5 / 4 | |
| 8.20.0 | 5 / 4 | |
| 8.19.1 | 5 / 4 | |
| 8.19.0 | 5 / 4 | |
| 8.18.2 | 5 / 4 | |
| 8.18.1 | 5 / 3 | |
| 8.18.0 | 5 / 4 | |
| 8.17.0 | 5 / 4 | |
| 8.16.0 | 5 / 4 | |
| 8.15.1 | 5 / 4 |
v8.33.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.33.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.33.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.32.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.31.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.31.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.31.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.31.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.31.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.31.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.24.2
4 findingsAll previous maintainers (atlaskit) were replaced by new maintainers (atlassianartifactteam). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
This version was published by a different npm account than previous versions on 2025-04-17. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.24.1
4 findingsAll previous maintainers (atlaskit) were replaced by new maintainers (atlassianartifactteam). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
This version was published by a different npm account than previous versions on 2025-04-02. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.24.0
4 findingsAll previous maintainers (atlaskit) were replaced by new maintainers (atlassianartifactteam). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
This version was published by a different npm account than previous versions on 2025-03-04. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.23.1
4 findingsAll previous maintainers (atlaskit) were replaced by new maintainers (atlassianartifactteam). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
This version was published by a different npm account than previous versions on 2025-02-13. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.23.0
4 findingsAll previous maintainers (atlaskit) were replaced by new maintainers (atlassianartifactteam). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
This version was published by a different npm account than previous versions on 2025-02-10. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.22.2
4 findingsAll previous maintainers (atlaskit) were replaced by new maintainers (atlassianartifactteam). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
This version was published by a different npm account than previous versions on 2025-02-05. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.22.1
4 findingsAll previous maintainers (atlaskit) were replaced by new maintainers (atlassianartifactteam). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
This version was published by a different npm account than previous versions on 2025-02-04. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.22.0
4 findingsAll previous maintainers (atlaskit) were replaced by new maintainers (atlassianartifactteam). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
This version was published by a different npm account than previous versions on 2025-01-31. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.21.2
4 findingsAll previous maintainers (atlaskit) were replaced by new maintainers (atlassianartifactteam, atlaskit-user). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
This version was published by a different npm account than previous versions on 2025-01-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.21.1
3 findingsAll previous maintainers (atlaskit) were replaced by new maintainers (atlassianartifactteam, atlaskit-user). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (atlaskit-user) than the most recent previously approved version (atlaskit) on 2024-11-27, but atlaskit-user is listed as a maintainer on prior approved versions (matched on email). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v8.21.0
3 findingsAll previous maintainers (atlaskit) were replaced by new maintainers (atlassianartifactteam, atlaskit-user). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (atlaskit-user) than the most recent previously approved version (atlaskit) on 2024-11-11, but atlaskit-user is listed as a maintainer on prior approved versions (matched on email). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v8.20.4
3 findingsAll previous maintainers (atlaskit) were replaced by new maintainers (atlassianartifactteam, atlaskit-user). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (atlaskit-user) than the most recent previously approved version (atlaskit) on 2024-11-08, but atlaskit-user is listed as a maintainer on prior approved versions (matched on email). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v8.20.3
3 findingsAll previous maintainers (atlaskit) were replaced by new maintainers (atlassianartifactteam, atlaskit-user). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (atlaskit-user) than the most recent previously approved version (atlaskit) on 2024-11-01, but atlaskit-user is listed as a maintainer on prior approved versions (matched on email). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v8.20.2
3 findingsAll previous maintainers (atlaskit) were replaced by new maintainers (atlassianartifactteam, atlaskit-user). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (atlaskit-user) than the most recent previously approved version (atlaskit) on 2024-10-24, but atlaskit-user is listed as a maintainer on prior approved versions (matched on email). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v8.20.1
3 findingsAll previous maintainers (atlaskit) were replaced by new maintainers (atlassianartifactteam, atlaskit-user). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (atlaskit-user) than the most recent previously approved version (atlaskit) on 2024-10-22, but atlaskit-user is listed as a maintainer on prior approved versions (matched on email). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v8.20.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.19.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.19.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.18.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.18.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.15.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.