@docusaurus/utils
Node utility functions for Docusaurus packages.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Provenance attestation is not yet standard for this package; not a security concern for established maintainers. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependencies are established packages (jiti, prompts, utility-types) appropriate for a Docusaurus utility library. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 24 new source files in canary release is expected for routine development; no diff anomalies detected. | ai | |
| provenance | publisher-changed | AI (provenance): Documented transition within Docusaurus project from bot account to maintainer; legitimate account management. | ai | |
| dependencies | unvetted-dep:shelljs | AI (dependencies): shelljs is a well-known shell utility library; its use in Docusaurus build tooling is legitimate and expected across all versions of this package. | ai | |
| dependencies | unvetted-dep:@docusaurus/types | AI (dependencies): First-party Docusaurus monorepo package; unvetted only due to registry gap. | ai | |
| dependencies | unvetted-dep:@docusaurus/utils-common | AI (dependencies): First-party Docusaurus monorepo package; unvetted only due to registry gap. | ai | |
| phantom-deps | phantom-dep:prompts | AI (phantom-deps): prompts is referenced in config files; phantom-dep finding is expected for this package. | ai | |
| dependencies | unvetted-dep:execa | AI (dependencies): execa is an established, widely-used process execution library; appropriate for a utility package. | ai | |
| dependencies | unvetted-dep:prompts | AI (dependencies): prompts is a well-known CLI prompting library; legitimate for interactive utilities in Docusaurus. | ai | |
| dependencies | unvetted-dep:jiti | AI (dependencies): jiti is an established build tool dependency; unvetted status is acceptable for this package's context. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Signals are false positives: 'fb' spam flag does not apply to slorber; minimal README is appropriate for a utility library; missing keywords is metadata-only. | ai | |
| dependencies | unvetted-dep:p-queue | AI (dependencies): p-queue is a standard promise queue library; legitimate utility dependency for this package. | ai | |
| dependencies | unvetted-dep:globby | AI (dependencies): globby is a widely-used file globbing library; unvetted only due to registry gap. | ai | |
| dependencies | unvetted-dep:webpack | AI (dependencies): webpack is a canonical build tool; appropriate for a Docusaurus utility package. | ai | |
| dependencies | unvetted-dep:file-loader | AI (dependencies): file-loader is a well-known webpack loader; unvetted only due to registry gap. | ai | |
| dependencies | unvetted-dep:gray-matter | AI (dependencies): gray-matter is a well-known front matter parser used legitimately by Docusaurus for markdown processing. | ai |
Versions (showing 33 of 33)
| Version | Deps | Published |
|---|---|---|
| 3.10.1 | 21 / 6 | |
| 3.10.0 | 21 / 6 | |
| 3.9.2 | 21 / 6 | |
| 3.9.1 | 21 / 6 | |
| 3.9.0 | 21 / 6 | |
| 3.8.1 | 21 / 6 | |
| 3.8.0 | 21 / 6 | |
| 3.7.0 | 20 / 6 | |
| 3.6.3 | 21 / 6 | |
| 3.6.2 | 21 / 6 | |
| 3.6.1 | 21 / 6 | |
| 3.6.0 | 20 / 7 | |
| 3.5.2 | 20 / 7 | |
| 3.5.1 | 20 / 7 | |
| 3.5.0 | 20 / 7 | |
| 3.4.0 | 20 / 7 | |
| 3.3.2 | 19 / 7 | |
| 3.3.0 | 19 / 7 | |
| 3.2.1 | 19 / 7 | |
| 3.2.0 | 19 / 7 | |
| 3.1.1 | 17 / 7 | |
| 3.1.0 | 17 / 7 | |
| 3.0.1 | 17 / 7 | |
| 3.0.0 | 17 / 7 | |
| 2.4.3 | 16 / 6 | |
| 2.4.1 | 16 / 6 | |
| 2.4.0 | 16 / 6 | |
| 2.3.1 | 16 / 6 | |
| 2.3.0 | 16 / 6 | |
| 2.2.0 | 15 / 6 | |
| 2.1.0 | 15 / 6 | |
| 2.0.1 | 15 / 6 | |
| 2.0.0 | 15 / 6 |
v3.10.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.10.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-07. This could indicate a legitimate maintainer transition or an account compromise.
v3.9.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-17. This could indicate a legitimate maintainer transition or an account compromise.
v3.9.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-26. This could indicate a legitimate maintainer transition or an account compromise.
v3.9.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-25. This could indicate a legitimate maintainer transition or an account compromise.
v3.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.