@docusaurus/mdx-loader
Docusaurus Loader for MDX
4
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
fbslorberlex111docusaurus-bot
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): False positive: 'fb' flag is Facebook/Meta (legitimate Docusaurus maintainer), not spam; missing keywords is minor metadata issue. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): All new deps are well-known remark/rehype/unified ecosystem packages or internal Docusaurus packages, consistent with a v2→v3 major release rewrite. No suspicious packages. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 28 new source files are expected for a major version bump (v2→v3) of an MDX loader with expanded functionality. No obfuscation or injection signals. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): yangshun's removal reflects a known, legitimate Docusaurus team transition; slorber is the established primary maintainer with a clean track record. Not a takeover signal. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change to GitHub Actions is consistent with CI/CD automation for official Docusaurus monorepo; legitimate transition. | ai | |
| dependencies | unvetted-dep:file-loader | AI (dependencies): file-loader is a standard webpack loader; expected dependency for this webpack-based MDX loader. | ai | |
| dependencies | unvetted-dep:remark-emoji | AI (dependencies): remark-emoji is a standard remark plugin; expected for Docusaurus MDX processing. | ai | |
| dependencies | unvetted-dep:mdast-util-mdx | AI (dependencies): mdast-util-mdx is a core MDX AST utility; expected for an MDX loader. | ai | |
| dependencies | unvetted-dep:remark-directive | AI (dependencies): remark-directive is a standard remark plugin; expected for Docusaurus MDX processing. | ai | |
| dependencies | unvetted-dep:stringify-object | AI (dependencies): stringify-object is a well-known utility; expected for serializing objects in MDX loader output. | ai | |
| dependencies | unvetted-dep:unist-util-visit | AI (dependencies): unist-util-visit is a core unified ecosystem utility; expected for AST traversal in MDX loader. | ai | |
| dependencies | unvetted-dep:remark-frontmatter | AI (dependencies): remark-frontmatter is a standard remark plugin; expected for frontmatter parsing in Docusaurus. | ai | |
| dependencies | unvetted-dep:@slorber/remark-comment | AI (dependencies): Published by the same maintainer (slorber) as this package; consistent with trusted publisher identity. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is a best-practice recommendation; absence is not a security blocker. | ai | |
| dependencies | unvetted-dep:mdast-util-to-string | AI (dependencies): Standard remark/mdast ecosystem package with reasonable semver constraint; stable for Docusaurus. | ai | |
| dependencies | unvetted-dep:vfile | AI (dependencies): vfile is a core unified ecosystem package; expected dependency for an MDX loader. Stable for this package. | ai | |
| dependencies | unvetted-dep:unified | AI (dependencies): unified is the canonical text processing framework; expected dependency for an MDX loader. | ai | |
| dependencies | unvetted-dep:webpack | AI (dependencies): webpack is a standard build tool; expected peer/dependency for a webpack loader package. | ai | |
| dependencies | unvetted-dep:rehype-raw | AI (dependencies): rehype-raw is a standard rehype plugin; expected for MDX/HTML processing in Docusaurus. | ai | |
| dependencies | unvetted-dep:remark-gfm | AI (dependencies): remark-gfm is a standard remark plugin for GitHub Flavored Markdown; expected for MDX loader. | ai | |
| phantom-deps | phantom-dep:file-loader | AI (phantom-deps): Webpack loader referenced in config but not directly imported; expected pattern for build tools. | ai | |
| phantom-deps | phantom-dep:url-loader | AI (phantom-deps): Webpack loader referenced in config but not directly imported; expected pattern for build tools. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 3.10.1 | 24 / 12 | |
| 3.6.2 | 24 / 12 | |
| 2.4.3 | 17 / 12 | |
| 2.0.0 | 17 / 12 |
v3.10.1
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.6.2
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.3
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.