@langchain/textsplitters
Various implementations of LangChain.js text splitters
8
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
hwchase17jacoblee93basprouleric_langchainandrewnguonlynfcamposdavidduongmaddyadamssam_noyeshntrlchristian-bromann
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): hntrl is a known LangChain org contributor with strong track record; package.json still references official langchain-ai GitHub org. Legitimate maintainer transition. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers (eric_langchain, hntrl, christian-bromann) are consistent with LangChain org team rotation; package metadata still points to official repo. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of vbarda and sullivan-sean is consistent with an org-level maintainer rotation, not a hostile takeover. Official repo URL unchanged. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): 0.0.0 is the established initial version pattern for @langchain/* monorepo packages published by the official LangChain team; not indicative of malicious intent. | ai | |
| dependencies | unvetted-dep:js-tiktoken | AI (dependencies): js-tiktoken is a standard tokenizer library expected in LangChain text splitting packages; stable legitimate dependency for this package. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 1.0.1 | 1 / 11 | |
| 1.0.0 | 1 / 11 | |
| 0.1.0 | 1 / 23 | |
| 0.0.3 | 2 / 22 | |
| 0.0.2 | 2 / 22 | |
| 0.0.1 | 2 / 22 | |
| 0.0.0 | 2 / 22 | |
| 1.0.0-alpha.1 | 1 / 18 |
v1.0.0-alpha.1
3 findings
HIGH
Missing gitHead — previous versions had it
provenance
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hntrl.
HIGH
Publisher changed: jacoblee93 → hntrl (on 2025-08-28)
provenance
This version was published by a different npm account than previous versions on 2025-08-28. This could indicate a legitimate maintainer transition or an account compromise.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.