@mdx-js/react
React context for MDX
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): wooorm (Titus Wormer) is a listed contributor and the unified ecosystem lead; legitimate maintainer transition for v2.0.0. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @types/mdx and @types/react are standard TS type packages added for the v2 TypeScript-first rewrite; benign for this package. | ai | |
| phantom-deps | phantom-dep:@types/react | AI (phantom-deps): Framework-scoped type package loaded by convention in React libraries; stable pattern for @mdx-js/react. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is infrastructure recommendation, not security defect; wooorm's track record is strong. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): remcohaszing is a known contributor in the unified/mdx ecosystem; addition appears to be a legitimate team change by the trusted wooorm publisher. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): silvenon removal alongside remcohaszing addition reflects a routine team rotation in the mdx-js org, not a hostile takeover. | ai | |
| phantom-deps | phantom-dep:@types/mdx | AI (phantom-deps): @types/mdx is a TypeScript type package used by convention; it is not directly imported but provides types for consumers. This is expected and stable for this package. | ai | |
| dependencies | unvetted-dep:@types/mdx | AI (dependencies): @types/mdx is the official MDX type declarations from the same ecosystem; its use as a runtime dep for type distribution is a stable, legitimate pattern for this package. | ai |
Versions (showing 70 of 70)
| Version | Deps | Published |
|---|---|---|
| 3.1.1 | 1 / 0 | |
| 3.1.0 | 1 / 0 | |
| 2.2.1 | 2 / 5 | |
| 2.2.0 | 2 / 5 | |
| 2.1.5 | 2 / 5 | |
| 2.1.3 | 2 / 5 | |
| 2.1.1 | 2 / 5 | |
| 2.1.0 | 2 / 5 | |
| 2.0.0 | 2 / 5 | |
| 1.6.22 | 0 / 0 | |
| 1.6.21 | 0 / 0 | |
| 1.6.20 | 0 / 0 | |
| 1.6.19 | 0 / 0 | |
| 1.6.18 | 0 / 0 | |
| 1.6.17 | 0 / 0 | |
| 1.6.16 | 0 / 0 | |
| 1.6.15 | 0 / 0 | |
| 1.6.14 | 0 / 0 | |
| 1.6.13 | 0 / 0 | |
| 1.6.12 | 0 / 0 | |
| 1.6.11 | 0 / 0 | |
| 1.6.10 | 0 / 0 | |
| 1.6.9 | 0 / 0 | |
| 1.6.8 | 0 / 0 | |
| 1.6.7 | 0 / 0 | |
| 1.6.6 | 0 / 0 | |
| 1.6.5 | 0 / 0 | |
| 1.6.4 | 0 / 0 | |
| 1.6.3 | 0 / 0 | |
| 1.6.2 | 0 / 0 | |
| 1.6.1 | 0 / 0 | |
| 1.6.0 | 0 / 0 | |
| 1.5.9 | 0 / 0 | |
| 1.5.8 | 0 / 0 | |
| 1.5.7 | 0 / 0 | |
| 1.5.6 | 0 / 0 | |
| 1.5.5 | 0 / 0 | |
| 1.5.4 | 0 / 0 | |
| 1.5.3 | 0 / 0 | |
| 1.5.2 | 0 / 0 | |
| 1.5.1 | 0 / 8 | |
| 1.5.0 | 0 / 8 | |
| 1.4.5 | 0 / 8 | |
| 1.4.4 | 0 / 8 | |
| 1.4.3 | 0 / 8 | |
| 1.4.2 | 0 / 8 | |
| 1.4.1 | 0 / 8 | |
| 1.4.0 | 0 / 8 | |
| 1.3.2 | 0 / 8 | |
| 1.3.1 | 0 / 8 | |
| 1.3.0 | 0 / 8 | |
| 1.2.2 | 0 / 8 | |
| 1.2.1 | 0 / 8 | |
| 1.2.0 | 0 / 8 | |
| 1.1.6 | 0 / 8 | |
| 1.1.5 | 0 / 8 | |
| 1.1.4 | 0 / 8 | |
| 1.1.2 | 0 / 8 | |
| 1.1.1 | 0 / 8 | |
| 1.0.27 | 0 / 8 | |
| 1.0.26 | 0 / 8 | |
| 1.0.23 | 0 / 8 | |
| 1.0.22 | 0 / 8 | |
| 1.0.21 | 0 / 8 | |
| 1.0.20 | 0 / 8 | |
| 1.0.16 | 0 / 8 | |
| 1.0.15 | 0 / 8 | |
| 1.0.6 | 0 / 8 | |
| 1.0.2 | 0 / 8 | |
| 1.0.1 | 0 / 8 |
v3.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
2 findingsThis version was published by a different npm account than previous versions on 2022-02-01. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.