@mdx-js/mdx — Greenflagged

MDX compiler

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

johnotimneutkenswooormremcohaszing

Keywords

jsxmarkdownmdxremark

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	dormant-publish	AI (publish-pattern): Trusted maintainer (wooorm) with strong track record; gap reflects a documented refactor, not account takeover.	ai	2026/05/08
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of johno-bot (automation account) and biscarch (former contributor) is consistent with normal project evolution; primary author johno remains publisher with a strong track record.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): silvenon was a pre-existing contributor to the MDX project; addition as maintainer reflects a legitimate role expansion, not a suspicious takeover.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): silvenon (Matija Marohnić) was already a listed contributor in package.json before becoming publisher; this is a documented, legitimate maintainer transition for the MDX project.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): detab and unist-builder are established packages in the unified/remark ecosystem, fully consistent with MDX's Markdown parsing purpose. No supply-chain risk.	ai	2026/04/22
dependencies	unvetted-dep:rehype-recma	AI (dependencies): rehype-recma is part of the MDX compiler pipeline; legitimate dependency.	ai	2026/04/22
dependencies	unvetted-dep:remark-parse	AI (dependencies): remark-parse is a core unified/remark package; legitimate and expected dependency.	ai	2026/04/22
dependencies	unvetted-dep:remark-rehype	AI (dependencies): remark-rehype is a core unified ecosystem bridge plugin; legitimate dependency.	ai	2026/04/22
dependencies	unvetted-dep:recma-build-jsx	AI (dependencies): recma-build-jsx is part of the recma/MDX toolchain; legitimate dependency.	ai	2026/04/22
dependencies	unvetted-dep:hast-util-to-jsx-runtime	AI (dependencies): hast-util-to-jsx-runtime is a core unified/hast utility; legitimate dependency for MDX JSX output.	ai	2026/04/22
dependencies	unvetted-dep:recma-stringify	AI (dependencies): recma-stringify is part of the recma/MDX toolchain; legitimate dependency.	ai	2026/04/22
dependencies	unvetted-dep:vfile	AI (dependencies): vfile is a core unified ecosystem package and a legitimate dependency of @mdx-js/mdx.	ai	2026/04/22
dependencies	unvetted-dep:unified	AI (dependencies): unified is the foundational package of the unified ecosystem; a legitimate and expected dependency.	ai	2026/04/22
dependencies	unvetted-dep:recma-jsx	AI (dependencies): recma-jsx is part of the recma/MDX toolchain maintained by the same ecosystem; legitimate dependency.	ai	2026/04/22
dependencies	unvetted-dep:remark-mdx	AI (dependencies): remark-mdx is a core MDX remark plugin from the same mdx-js org; legitimate dependency.	ai	2026/04/22
dependencies	unvetted-dep:unist-builder	AI (dependencies): unist-builder is a core unified/unist ecosystem utility; stable and widely used.	ai	2026/04/22
dependencies	unvetted-dep:detab	AI (dependencies): detab is a legitimate remark/unified ecosystem utility; stable dependency of @mdx-js/mdx across versions.	ai	2026/04/22
dependencies	unvetted-dep:@mdx-js/util	AI (dependencies): First-party @mdx-js monorepo package, co-versioned with @mdx-js/mdx. No risk.	ai	2026/04/22
dependencies	unvetted-dep:camelcase-css	AI (dependencies): camelcase-css is a well-known utility for CSS property name conversion; stable dependency.	ai	2026/04/22
dependencies	unvetted-dep:remark-footnotes	AI (dependencies): remark-footnotes is a standard remark plugin; legitimate dependency for MDX processing.	ai	2026/04/22
dependencies	unvetted-dep:remark-squeeze-paragraphs	AI (dependencies): remark-squeeze-paragraphs is a standard remark plugin; legitimate dependency for MDX processing.	ai	2026/04/22
dependencies	unvetted-dep:babel-plugin-apply-mdx-type-prop	AI (dependencies): First-party @mdx-js monorepo package, co-versioned with @mdx-js/mdx. No risk.	ai	2026/04/22
dependencies	unvetted-dep:babel-plugin-extract-import-names	AI (dependencies): First-party @mdx-js monorepo package, co-versioned with @mdx-js/mdx. No risk.	ai	2026/04/22
dependencies	unvetted-dep:unist-util-position-from-estree	AI (dependencies): unist-util-position-from-estree is a legitimate unified ecosystem utility for AST position mapping.	ai	2026/04/22
dependencies	unvetted-dep:@types/mdx	AI (dependencies): @types/mdx provides TypeScript types for MDX; a natural runtime dep for this compiler package.	ai	2026/04/22
dependencies	unvetted-dep:devlop	AI (dependencies): devlop is a legitimate unified-ecosystem utility by wooorm; stable dependency for this package.	ai	2026/04/22
dependencies	unvetted-dep:@types/hast	AI (dependencies): @types/hast provides TypeScript types for the hast AST; standard in the unified ecosystem.	ai	2026/04/22
dependencies	unvetted-dep:unist-util-visit	AI (dependencies): unist-util-visit is a core unified/unist utility; widely used and maintained by the same ecosystem.	ai	2026/04/22
dependencies	unvetted-dep:estree-util-scope	AI (dependencies): estree-util-scope is a legitimate estree utility in the unified ecosystem, appropriate for an MDX compiler.	ai	2026/04/22
dependencies	unvetted-dep:unist-util-stringify-position	AI (dependencies): unist-util-stringify-position is a standard unist utility; part of the unified ecosystem.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance adoption; publisher has strong track record. Absence of provenance is expected for this package's age.	ai	2026/04/22
phantom-deps	phantom-dep:@types/estree	AI (phantom-deps): @types/estree is a TypeScript type declaration package; not directly imported at runtime by design.	ai	2026/04/21
semgrep	semgrep:new-function-constructor	AI (semgrep): new Function() is the documented pattern for MDX's runtime code execution; input is controlled compiled output, not arbitrary user code.	ai	2026/04/21
typosquat	typosquat.levenshtein:mobx	AI (typosquat): @mdx-js/mdx is a well-known scoped MDX package with no relation to mobx; the Levenshtein match is a clear false positive that generalizes across all versions.	ai	2026/04/21
phantom-deps	phantom-dep:@types/mdx	AI (phantom-deps): @types/mdx is a TypeScript type declaration package; not directly imported at runtime by design.	ai	2026/04/21
phantom-deps	phantom-dep:acorn	AI (phantom-deps): acorn is referenced in config files for parser configuration, not directly imported. Normal pattern for unified ecosystem packages.	ai	2026/04/21
phantom-deps	phantom-dep:@types/estree-jsx	AI (phantom-deps): @types/estree-jsx is a TypeScript type declaration package; not directly imported at runtime by design.	ai	2026/04/21
phantom-deps	phantom-dep:@types/hast	AI (phantom-deps): @types/hast is a TypeScript type declaration package; not directly imported at runtime by design.	ai	2026/04/21

Versions (showing 51 of 126)

View all versions

Version	Deps	Published
3.1.0	24 / 0	2024-10-18
3.0.1	23 / 0	2024-02-12
3.0.0	23 / 0	2023-10-24
2.3.0	17 / 15	2023-02-09
2.1.4	17 / 15	2022-10-06
2.1.2	17 / 15	2022-06-18
2.1.1	17 / 15	2022-03-31
2.1.0	17 / 15	2022-03-16
2.0.0	17 / 15	2022-02-01
1.6.22	19 / 0	2020-12-01
1.6.21	19 / 0	2020-11-07
1.6.20	19 / 0	2020-11-07
1.6.19	19 / 0	2020-10-20
1.6.18	19 / 0	2020-09-17
1.6.17	19 / 0	2020-09-14
1.6.16	19 / 0	2020-07-29
1.6.15	19 / 0	2020-07-29
1.6.14	19 / 0	2020-07-22
1.6.13	19 / 0	2020-07-20
1.6.12	19 / 0	2020-07-20
1.6.11	19 / 0	2020-07-17
1.6.10	19 / 0	2020-07-17
1.6.9	19 / 0	2020-07-16
1.6.8	19 / 0	2020-07-16
1.6.7	19 / 0	2020-07-15
1.6.6	19 / 0	2020-06-17
1.6.5	19 / 0	2020-05-29
1.6.4	19 / 0	2020-05-20
1.6.3	19 / 0	2020-05-20
1.6.2	19 / 0	2020-05-20
1.6.1	19 / 0	2020-05-01
1.6.0	19 / 0	2020-04-27
1.5.9	19 / 0	2020-04-22
1.5.8	18 / 0	2020-03-26
1.5.7	18 / 0	2020-02-21
1.5.6	18 / 0	2020-02-20
1.5.5	18 / 0	2020-01-16
1.5.4	18 / 0	2020-01-15
1.5.3	18 / 0	2019-12-20
1.5.2	18 / 0	2019-12-16
1.5.1	18 / 11	2019-10-07
1.5.0	18 / 11	2019-09-23
1.4.5	18 / 11	2019-09-09
1.4.4	18 / 11	2019-09-05
1.4.3	18 / 11	2019-09-04
1.4.2	18 / 11	2019-09-03
1.4.1	18 / 11	2019-09-03
1.4.0	18 / 11	2019-08-26
1.3.2	18 / 11	2019-08-25
1.3.1	18 / 11	2019-08-18
1.3.0	18 / 11	2019-08-13