@docusaurus/core
Easy to Maintain Open Source Documentation Websites
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-removed | AI (maintainer-change): yangshun's removal is a known legitimate team change within the Docusaurus/Meta org; slorber is the primary long-standing maintainer. Not a takeover signal. | ai | |
| dependencies | unvetted-dep:babel-loader | AI (dependencies): babel-loader is a standard webpack loader for Babel transpilation; appropriate for a build tool. | ai | |
| bogus-package | bogus-package | AI (bogus-package): fb org spam flag is a false positive for the Facebook/Meta npm organization. README signal is irrelevant for a major well-known framework. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval is used for validating object key syntax in routes; legitimate use case in build infrastructure. | ai | |
| phantom-deps | phantom-dep:wait-on | AI (phantom-deps): wait-on is a declared runtime dependency used in Docusaurus CLI tooling; the phantom-dep finding is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:combine-promises | AI (phantom-deps): Phantom dependency is legitimate for a build tool; referenced in webpack config, not directly imported. | ai | |
| dependencies | unvetted-dep:wait-on | AI (dependencies): wait-on is a utility for waiting on server startup; version constraint ^6.0.1 is reasonable. | ai | |
| phantom-deps | phantom-dep:@docusaurus/react-loadable | AI (phantom-deps): @docusaurus/react-loadable is same-org scoped package; legitimate internal dependency. | ai | |
| phantom-deps | phantom-dep:@svgr/webpack | AI (phantom-deps): @svgr/webpack is referenced in webpack config; legitimate indirect dependency. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps (open, execa, tinypool, @docusaurus/babel, @docusaurus/bundler) are legitimate well-known packages consistent with Docusaurus's documented refactoring of bundler/babel into sub-packages. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 44 new source files reflect a major architectural refactoring (extracting babel/bundler logic) in this established Meta OSS project; all code is publicly auditable on GitHub. | ai | |
| dependencies | unvetted-dep:@babel/plugin-syntax-dynamic-import | AI (dependencies): Official Babel syntax plugin from the Babel org; standard build toolchain dependency. | ai | |
| dependencies | unvetted-dep:del | AI (dependencies): del is a well-known file deletion utility; expected dependency for a build framework like Docusaurus. | ai | |
| dependencies | unvetted-dep:clean-css | AI (dependencies): clean-css is a standard CSS minifier; expected in a static site generator's build pipeline. | ai | |
| dependencies | unvetted-dep:rtl-detect | AI (dependencies): rtl-detect is a small, well-known utility for RTL language detection; appropriate for an i18n-capable docs framework. | ai | |
| dependencies | unvetted-dep:webpackbar | AI (dependencies): webpackbar is a standard webpack progress bar plugin; expected in a webpack-based build framework. | ai | |
| dependencies | unvetted-dep:css-minimizer-webpack-plugin | AI (dependencies): css-minimizer-webpack-plugin is a standard webpack CSS optimization plugin; expected in a build framework. | ai | |
| dependencies | unvetted-dep:autoprefixer | AI (dependencies): autoprefixer is a widely-used PostCSS plugin; standard dependency for CSS processing in a docs framework. | ai | |
| dependencies | unvetted-dep:@babel/preset-env | AI (dependencies): Official Babel preset from the Babel org; standard and expected in any modern JS build toolchain. | ai | |
| dependencies | unvetted-dep:@babel/preset-react | AI (dependencies): Official Babel preset for React from the Babel org; expected in a React-based framework. | ai | |
| dependencies | unvetted-dep:copy-webpack-plugin | AI (dependencies): copy-webpack-plugin is a standard webpack plugin; expected in a webpack-based static site generator. | ai | |
| dependencies | unvetted-dep:html-minifier-terser | AI (dependencies): html-minifier-terser is a well-known HTML minification tool; expected in a static site generator. | ai | |
| dependencies | unvetted-dep:@babel/runtime-corejs3 | AI (dependencies): Official Babel runtime package from the Babel org; standard polyfill runtime dependency. | ai | |
| dependencies | unvetted-dep:file-loader | AI (dependencies): file-loader is a standard webpack loader; expected in a webpack-based static site generator. | ai | |
| dependencies | unvetted-dep:@babel/plugin-transform-runtime | AI (dependencies): Official Babel plugin from the Babel org; standard build toolchain dependency. | ai | |
| dependencies | unvetted-dep:babel-plugin-dynamic-import-node | AI (dependencies): babel-plugin-dynamic-import-node is a well-known Babel plugin for SSR; expected in a React SSG framework. | ai | |
| dependencies | unvetted-dep:@babel/preset-typescript | AI (dependencies): Official Babel TypeScript preset from the Babel org; expected in a TypeScript-supporting framework. | ai | |
| dependencies | unvetted-dep:mini-css-extract-plugin | AI (dependencies): mini-css-extract-plugin is a standard webpack CSS extraction plugin; expected in a webpack-based framework. | ai | |
| dependencies | unvetted-dep:detect-port | AI (dependencies): detect-port is used for dev server port detection; stable for this package. | ai | |
| dependencies | unvetted-dep:execa | AI (dependencies): execa is a well-established sindresorhus package for running child processes; legitimate use in a build tool. | ai | |
| dependencies | unvetted-dep:open | AI (dependencies): open is a well-established sindresorhus package for opening URLs/files; used legitimately in dev server browser-open functionality. | ai | |
| dependencies | unvetted-dep:react-loadable-ssr-addon-v5-slorber | AI (dependencies): Docusaurus-specific fork of react-loadable addon; stable for this package. | ai | |
| dependencies | unvetted-dep:eta | AI (dependencies): eta is a lightweight template engine; legitimate build dependency for Docusaurus. | ai | |
| dependencies | unvetted-dep:prompts | AI (dependencies): CLI prompt library; standard dependency for interactive build tools. | ai | |
| dependencies | unvetted-dep:html-webpack-plugin | AI (dependencies): Standard webpack plugin; expected for static site generation. | ai | |
| dependencies | unvetted-dep:webpack-merge | AI (dependencies): webpack-merge is a standard utility for merging webpack configs; appropriate for this package. | ai | |
| dependencies | unvetted-dep:core-js | AI (dependencies): Standard polyfill library; expected in build tools targeting broad JS environments. | ai | |
| dependencies | unvetted-dep:cssnano | AI (dependencies): cssnano is a standard CSS minifier used in webpack build pipelines; expected for Docusaurus. | ai | |
| dependencies | unvetted-dep:react-helmet-async | AI (dependencies): react-helmet-async is a standard React head management library; slorber fork is documented. | ai | |
| dependencies | unvetted-dep:webpack | AI (dependencies): webpack is the core bundler for Docusaurus; stable for this package. | ai | |
| dependencies | unvetted-dep:shelljs | AI (dependencies): shelljs is a well-known shell utility library; its use in Docusaurus CLI tooling is expected. | ai | |
| provenance | publisher-changed | AI (provenance): Documented transition to docusaurus-bot (project's CI/CD account); legitimate maintainer change within the Docusaurus org. | ai | |
| phantom-deps | phantom-dep:core-js | AI (phantom-deps): core-js is a known implicit runtime dependency for polyfills; stable for this package. | ai | |
| phantom-deps | phantom-dep:postcss | AI (phantom-deps): PostCSS is referenced in config files; legitimate implicit dependency for CSS processing. | ai | |
| phantom-deps | phantom-dep:react-router | AI (phantom-deps): react-router is referenced in config; legitimate indirect dependency for routing. | ai | |
| phantom-deps | phantom-dep:@babel/runtime-corejs3 | AI (phantom-deps): @babel/runtime-corejs3 is framework-scoped Babel runtime; legitimate for transpilation. | ai | |
| phantom-deps | phantom-dep:chalk | AI (phantom-deps): Chalk is referenced in config files for CLI output; legitimate implicit dependency. | ai | |
| provenance | no-provenance | AI (provenance): Established Facebook/Meta-maintained package with long track record; lack of provenance is not a risk signal here. | ai | |
| phantom-deps | phantom-dep:cssnano | AI (phantom-deps): cssnano is referenced in CSS processing config; legitimate indirect dependency. | ai | |
| phantom-deps | phantom-dep:clean-css | AI (phantom-deps): clean-css is referenced in CSS processing config; legitimate indirect dependency. | ai | |
| phantom-deps | phantom-dep:url-loader | AI (phantom-deps): url-loader is referenced in webpack config; legitimate indirect dependency. | ai | |
| phantom-deps | phantom-dep:file-loader | AI (phantom-deps): file-loader is referenced in webpack config; legitimate indirect dependency. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Scoped package @docusaurus/core has no brand confusion risk with 'cors'; false positive. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads package.json for version detection; expected pattern in build tools. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is legitimately used in build server code for port detection; expected in a build tool. | ai |
Versions (showing 55 of 55)
v3.10.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.10.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-17. This could indicate a legitimate maintainer transition or an account compromise.
v3.9.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-26. This could indicate a legitimate maintainer transition or an account compromise.
v3.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-06-06. This could indicate a legitimate maintainer transition or an account compromise.
v3.8.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-05-27. This could indicate a legitimate maintainer transition or an account compromise.
v3.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.9.2-canary-6573
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-10. This could indicate a legitimate maintainer transition or an account compromise.
v3.9.2-canary-6541
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-19. This could indicate a legitimate maintainer transition or an account compromise.
v3.9.2-canary-6528
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.
v3.9.2-canary-6465
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-09. This could indicate a legitimate maintainer transition or an account compromise.
v3.9.2-canary-6460
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-05. This could indicate a legitimate maintainer transition or an account compromise.
v3.9.2-canary-6458
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-04. This could indicate a legitimate maintainer transition or an account compromise.
v3.9.2-canary-6447
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-20. This could indicate a legitimate maintainer transition or an account compromise.
v3.9.2-canary-6445
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-20. This could indicate a legitimate maintainer transition or an account compromise.
v3.9.2-canary-6439
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-14. This could indicate a legitimate maintainer transition or an account compromise.
v3.9.0-canary-6403
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.1-canary-6399
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.1-canary-6392
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.1-canary-6386
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.1-canary-6367
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.1-canary-6366
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.1-canary-6362
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.0-canary-6335
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.0-canary-6324
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-05-27. This could indicate a legitimate maintainer transition or an account compromise.
v3.7.0-canary-6312
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-05-14. This could indicate a legitimate maintainer transition or an account compromise.
v3.7.0-canary-6309
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-05-13. This could indicate a legitimate maintainer transition or an account compromise.
v3.7.0-canary-6303
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-05-08. This could indicate a legitimate maintainer transition or an account compromise.