@mdx-js/react — Greenflagged

React context for MDX

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

johnotimneutkenswooormremcohaszing

Keywords

jsxmarkdownmdxreactremark

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): wooorm (Titus Wormer) is a listed contributor and the unified ecosystem lead; legitimate maintainer transition for v2.0.0.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): @types/mdx and @types/react are standard TS type packages added for the v2 TypeScript-first rewrite; benign for this package.	ai	2026/04/24
phantom-deps	phantom-dep:@types/react	AI (phantom-deps): Framework-scoped type package loaded by convention in React libraries; stable pattern for @mdx-js/react.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Provenance attestation is infrastructure recommendation, not security defect; wooorm's track record is strong.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): remcohaszing is a known contributor in the unified/mdx ecosystem; addition appears to be a legitimate team change by the trusted wooorm publisher.	ai	2026/04/24
maintainer-change	maintainer-removed	AI (maintainer-change): silvenon removal alongside remcohaszing addition reflects a routine team rotation in the mdx-js org, not a hostile takeover.	ai	2026/04/24
phantom-deps	phantom-dep:@types/mdx	AI (phantom-deps): @types/mdx is a TypeScript type package used by convention; it is not directly imported but provides types for consumers. This is expected and stable for this package.	ai	2026/04/23
dependencies	unvetted-dep:@types/mdx	AI (dependencies): @types/mdx is the official MDX type declarations from the same ecosystem; its use as a runtime dep for type distribution is a stable, legitimate pattern for this package.	ai	2026/04/23

Versions (showing 51 of 70)

View all versions

Version	Deps	Published
3.1.1	1 / 0	2025-08-29
3.1.0	1 / 0	2024-10-18
2.2.1	2 / 5	2022-12-14
2.2.0	2 / 5	2022-12-14
2.1.5	2 / 5	2022-10-11
2.1.3	2 / 5	2022-08-17
2.1.1	2 / 5	2022-03-31
2.1.0	2 / 5	2022-03-16
2.0.0	2 / 5	2022-02-01
1.6.22	0 / 0	2020-12-01
1.6.21	0 / 0	2020-11-07
1.6.20	0 / 0	2020-11-07
1.6.19	0 / 0	2020-10-20
1.6.18	0 / 0	2020-09-17
1.6.17	0 / 0	2020-09-14
1.6.16	0 / 0	2020-07-29
1.6.15	0 / 0	2020-07-29
1.6.14	0 / 0	2020-07-22
1.6.13	0 / 0	2020-07-20
1.6.12	0 / 0	2020-07-20
1.6.11	0 / 0	2020-07-17
1.6.10	0 / 0	2020-07-17
1.6.9	0 / 0	2020-07-16
1.6.8	0 / 0	2020-07-16
1.6.7	0 / 0	2020-07-15
1.6.6	0 / 0	2020-06-17
1.6.5	0 / 0	2020-05-29
1.6.4	0 / 0	2020-05-20
1.6.3	0 / 0	2020-05-20
1.6.2	0 / 0	2020-05-20
1.6.1	0 / 0	2020-05-01
1.6.0	0 / 0	2020-04-27
1.5.9	0 / 0	2020-04-22
1.5.8	0 / 0	2020-03-26
1.5.7	0 / 0	2020-02-21
1.5.6	0 / 0	2020-02-20
1.5.5	0 / 0	2020-01-16
1.5.4	0 / 0	2020-01-15
1.5.3	0 / 0	2019-12-20
1.5.2	0 / 0	2019-12-16
1.5.1	0 / 8	2019-10-07
1.5.0	0 / 8	2019-09-23
1.4.5	0 / 8	2019-09-09
1.4.4	0 / 8	2019-09-05
1.4.3	0 / 8	2019-09-04
1.4.2	0 / 8	2019-09-03
1.4.1	0 / 8	2019-09-03
1.4.0	0 / 8	2019-08-26
1.3.2	0 / 8	2019-08-25
1.3.1	0 / 8	2019-08-18
1.3.0	0 / 8	2019-08-13

v3.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.