@mermaid-js/parser
MermaidJS parser
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm.min/chunk-AFFP7ECJ.mjs | AI (source-diff): Bundled build output with standard esbuild CJS/ESM shims; not malicious network+exec. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.core/chunk-NNHCCRGN.mjs | AI (source-diff): Bundled build output with standard esbuild CJS/ESM shims; not malicious network+exec. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm/chunk-PX4A6JQG.mjs | AI (source-diff): Bundled build output with standard esbuild CJS/ESM shims; not malicious network+exec. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm.min/chunk-R7M4247S.mjs | AI (source-diff): Minified version of the same Langium/vscode-jsonrpc bundle. Same false-positive pattern as the unminified chunk — LSP protocol code, not dropper malware. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm/chunk-ETPEW4Z4.mjs | AI (source-diff): Bundled Langium/vscode-jsonrpc LSP library artifact. Network calls are JSON-RPC protocol; dynamic execution is standard CommonJS module wrapper. Not malicious. | ai | |
| typosquat | typosquat.levenshtein:parcel | AI (typosquat): @mermaid-js/parser is a scoped package under the official mermaid-js org; the Levenshtein match against 'parcel' is purely coincidental and not a typosquat. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm/chunk-7CH2EZHI.mjs | AI (source-diff): Bundled langium/vscode-jsonrpc LSP infrastructure. Network patterns are LSP IPC, not remote code fetch. Exec patterns are standard esbuild __commonJS wrappers, not eval/Function. Stable false positive for this package. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm.min/chunk-U22FQTB5.mjs | AI (source-diff): Minified version of the same langium/vscode-jsonrpc bundle. Same rationale: LSP IPC patterns + bundler boilerplate, not dropper/loader behavior. Stable false positive for this package. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm.min/chunk-NIDWWGYF.mjs | AI (source-diff): Minified version of the same bundled Langium/vscode-jsonrpc output. Same false-positive rationale: LSP JSON-RPC + bundler interop helpers, not dropper/loader malware. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm/chunk-7ERVPVDL.mjs | AI (source-diff): Network calls originate from bundled vscode-jsonrpc (Langium LSP dependency); dynamic code is standard esbuild CJS-to-ESM interop boilerplate. Not malicious. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm/chunk-RQP4ABWY.mjs | AI (source-diff): Unminified counterpart of the same langium/vscode-jsonrpc bundle. Network patterns are LSP JSON-RPC transport, not malicious. SLSA provenance confirms legitimate CI/CD build. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm.min/chunk-AWU6ROIC.mjs | AI (source-diff): Bundle of langium + vscode-jsonrpc LSP infrastructure. Network patterns are JSON-RPC transport primitives, not dropper behavior. Consistent with langium dependency and SLSA-attested build. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm/chunk-6ZVUH7GU.mjs | AI (source-diff): Bundled build artifact containing langium/vscode-languageserver-types LSP code. Network patterns are LSP URI strings, not runtime network calls. Standard esbuild bundle boilerplate. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm.min/chunk-6NUPY6JS.mjs | AI (source-diff): Bundled build artifact containing langium/vscode-languageserver-types LSP code. Network patterns are LSP URI strings, not runtime network calls. Standard esbuild bundle boilerplate. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm/chunk-DYFX3CBW.mjs | AI (source-diff): Bundled vscode-jsonrpc/Langium LSP infrastructure; network calls are JSON-RPC over stdio, dynamic code is esbuild CommonJS shim. Not malicious; stable false positive for this package. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm.min/chunk-HXD2SLYF.mjs | AI (source-diff): Minified version of the same bundled vscode-jsonrpc/Langium LSP code. Same rationale as the non-minified chunk; stable false positive for this package. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm/chunk-WVIFXK7E.mjs | AI (source-diff): False positive: same bundled Langium/vscode-jsonrpc artifact in unminified form. Standard ESM/CJS interop wrappers, not malicious dropper code. SLSA provenance confirmed. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm.min/chunk-CX7FH56F.mjs | AI (source-diff): False positive: bundled Langium/vscode-jsonrpc build artifact. Network patterns are LSP socket abstractions; dynamic code is standard CJS interop boilerplate from esbuild. SLSA provenance confirmed. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm/chunk-ZK36NFND.mjs | AI (source-diff): Same bundled langium/vscode-jsonrpc LSP runtime (unminified version). Network+exec pattern is from JSON-RPC abstractions, not malware. Stable false positive for this package. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm.min/chunk-6TGVXIR7.mjs | AI (source-diff): Bundled langium/vscode-jsonrpc LSP runtime; network+exec pattern is from JSON-RPC socket abstractions, not malware. SLSA provenance confirmed. Stable false positive for this package. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm/chunk-BK3ZJOXK.mjs | AI (source-diff): File is standard esbuild bundle output containing langium/vscode-languageserver-types. Network+exec pattern is a false positive on bundled parser library code. | ai | |
| provenance | publisher-changed | AI (provenance): mermaid-js uses GitHub Actions for automated npm publishing; transition from personal account (sidv) to CI/CD is expected and confirmed by SLSA provenance attestation. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm.min/chunk-DQIAHSCC.mjs | AI (source-diff): Minified version of the same esbuild bundle. Network+exec pattern is a false positive on bundled parser library code. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm/chunk-IS2RFRM7.mjs | AI (source-diff): Same as above — unbundled ESM variant of the same langium/vscode-jsonrpc code. Standard build output, not malware. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm.min/chunk-GZP6XWLY.mjs | AI (source-diff): Bundled langium/vscode-jsonrpc LSP infrastructure; network patterns are JSON-RPC, dynamic exec patterns are CommonJS bundler wrappers. Legitimate build artifact from official mermaid-js org. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm.min/chunk-3AB64ZUG.mjs | AI (source-diff): False positive: bundled esbuild/rollup output containing vscode-languageserver-types LSP definitions. SLSA provenance confirms legitimate CI build from official mermaid-js repo. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Version bump 1.0.1→1.1.0 adds new diagram parsers; larger bundle is expected. SLSA provenance and official mermaid-js repo confirm legitimacy. | ai | |
| source-diff | net-exec-file:dist/chunks/mermaid-parser.esm/chunk-6B26QC54.mjs | AI (source-diff): False positive: same bundled artifact (unminified version). Standard bundler boilerplate + langium/LSP types. SLSA provenance confirms legitimate CI build. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 1.1.1 | 1 / 3 | |
| 1.1.0 | 1 / 1 | |
| 1.0.1 | 1 / 1 | |
| 1.0.0 | 1 / 1 | |
| 0.6.3 | 1 / 1 | |
| 0.6.2 | 1 / 1 | |
| 0.6.1 | 1 / 1 | |
| 0.6.0 | 1 / 1 | |
| 0.5.0 | 1 / 1 | |
| 0.4.0 | 1 / 1 | |
| 0.3.0 | 1 / 1 | |
| 0.2.0 | 1 / 1 | |
| 0.1.1 | 1 / 1 | |
| 0.1.0 | 1 / 1 |
v1.1.1
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.1
4 findingsThis version was published by a different npm account than previous versions on 2026-03-09. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.0
4 findingsThis version was published by a different npm account than previous versions on 2026-02-17. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.3
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.2
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.1
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.