@docusaurus/mdx-loader
Docusaurus Loader for MDX
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): False positive: 'fb' flag is Facebook/Meta (legitimate Docusaurus maintainer), not spam; missing keywords is minor metadata issue. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): All new deps are well-known remark/rehype/unified ecosystem packages or internal Docusaurus packages, consistent with a v2→v3 major release rewrite. No suspicious packages. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 28 new source files are expected for a major version bump (v2→v3) of an MDX loader with expanded functionality. No obfuscation or injection signals. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): yangshun's removal reflects a known, legitimate Docusaurus team transition; slorber is the established primary maintainer with a clean track record. Not a takeover signal. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change to GitHub Actions is consistent with CI/CD automation for official Docusaurus monorepo; legitimate transition. | ai | |
| dependencies | unvetted-dep:file-loader | AI (dependencies): file-loader is a standard webpack loader; expected dependency for this webpack-based MDX loader. | ai | |
| dependencies | unvetted-dep:remark-emoji | AI (dependencies): remark-emoji is a standard remark plugin; expected for Docusaurus MDX processing. | ai | |
| dependencies | unvetted-dep:mdast-util-mdx | AI (dependencies): mdast-util-mdx is a core MDX AST utility; expected for an MDX loader. | ai | |
| dependencies | unvetted-dep:remark-directive | AI (dependencies): remark-directive is a standard remark plugin; expected for Docusaurus MDX processing. | ai | |
| dependencies | unvetted-dep:stringify-object | AI (dependencies): stringify-object is a well-known utility; expected for serializing objects in MDX loader output. | ai | |
| dependencies | unvetted-dep:unist-util-visit | AI (dependencies): unist-util-visit is a core unified ecosystem utility; expected for AST traversal in MDX loader. | ai | |
| dependencies | unvetted-dep:remark-frontmatter | AI (dependencies): remark-frontmatter is a standard remark plugin; expected for frontmatter parsing in Docusaurus. | ai | |
| dependencies | unvetted-dep:@slorber/remark-comment | AI (dependencies): Published by the same maintainer (slorber) as this package; consistent with trusted publisher identity. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is a best-practice recommendation; absence is not a security blocker. | ai | |
| dependencies | unvetted-dep:mdast-util-to-string | AI (dependencies): Standard remark/mdast ecosystem package with reasonable semver constraint; stable for Docusaurus. | ai | |
| dependencies | unvetted-dep:vfile | AI (dependencies): vfile is a core unified ecosystem package; expected dependency for an MDX loader. Stable for this package. | ai | |
| dependencies | unvetted-dep:unified | AI (dependencies): unified is the canonical text processing framework; expected dependency for an MDX loader. | ai | |
| dependencies | unvetted-dep:webpack | AI (dependencies): webpack is a standard build tool; expected peer/dependency for a webpack loader package. | ai | |
| dependencies | unvetted-dep:rehype-raw | AI (dependencies): rehype-raw is a standard rehype plugin; expected for MDX/HTML processing in Docusaurus. | ai | |
| dependencies | unvetted-dep:remark-gfm | AI (dependencies): remark-gfm is a standard remark plugin for GitHub Flavored Markdown; expected for MDX loader. | ai | |
| phantom-deps | phantom-dep:file-loader | AI (phantom-deps): Webpack loader referenced in config but not directly imported; expected pattern for build tools. | ai | |
| phantom-deps | phantom-dep:url-loader | AI (phantom-deps): Webpack loader referenced in config but not directly imported; expected pattern for build tools. | ai |
Versions (showing 18 of 18)
| Version | Deps | Published |
|---|---|---|
| 3.10.1 | 24 / 12 | |
| 3.6.2 | 24 / 12 | |
| 2.4.3 | 17 / 12 | |
| 2.0.0 | 17 / 12 | |
| 3.9.2-canary-6546 | 24 / 12 | |
| 3.9.2-canary-6545 | 24 / 12 | |
| 3.9.2-canary-6544 | 24 / 12 | |
| 3.9.2-canary-6543 | 24 / 12 | |
| 3.9.2-canary-6528 | 24 / 12 | |
| 3.9.2-canary-6443 | 24 / 12 | |
| 3.9.2-canary-6439 | 24 / 12 | |
| 3.9.2-canary-6426 | 24 / 12 | |
| 3.9.2-alpha.4 | 24 / 12 | |
| 3.9.2-alpha.0 | 24 / 12 | |
| 3.8.1-canary-6366 | 24 / 12 | |
| 3.8.1-canary-6345 | 24 / 12 | |
| 3.7.0-canary-6307 | 24 / 12 | |
| 3.7.0-canary-6305 | 24 / 12 |
v3.10.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.9.2-canary-6546
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-26. This could indicate a legitimate maintainer transition or an account compromise.
v3.9.2-canary-6545
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.2-canary-6544
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.2-canary-6543
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.2-canary-6528
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.
v3.9.2-canary-6443
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-20. This could indicate a legitimate maintainer transition or an account compromise.
v3.9.2-canary-6439
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-14. This could indicate a legitimate maintainer transition or an account compromise.
v3.9.2-canary-6426
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-17. This could indicate a legitimate maintainer transition or an account compromise.
v3.9.2-alpha.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.2-alpha.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.1-canary-6366
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.1-canary-6345
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.0-canary-6307
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-05-09. This could indicate a legitimate maintainer transition or an account compromise.
v3.7.0-canary-6305
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-05-09. This could indicate a legitimate maintainer transition or an account compromise.