@mintlify/prebuild — Greenflagged

Helpful functions for Mintlify's prebuild step

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

dks333hanminthahnbeeshouchem-mintlifykathrynmintlifykylefinkenian-mintlifydenssumeshskeptrune

Keywords

mintlifymintprebuild

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers are Mintlify employees (ruhanponnada, kathrynmintlify, kylefinken); org-internal change.	ai	2026/04/27
license	uncommon-license:Elastic-2.0	AI (license): Elastic-2.0 is Mintlify's standard license across their packages.	ai	2026/04/27
provenance	publisher-changed	AI (provenance): Transition from individual account to GitHub Actions CI publishing; consistent with org CI/CD migration.	ai	2026/04/27
phantom-deps	phantom-dep:gray-matter	AI (phantom-deps): gray-matter is referenced in config files but not directly imported; consistent with other accepted phantom deps in this package.	ai	2026/04/27
provenance	no-provenance	AI (provenance): Provenance attestation is uncommon across npm (~12%); absence is not a security disqualifier for this established package.	ai	2026/04/27
phantom-deps	phantom-dep:front-matter	AI (phantom-deps): Legitimate package; phantom detection likely due to indirect/type-level usage in a TypeScript build context.	ai	2026/04/26
dependencies	unvetted-dep:favicons	AI (dependencies): favicons is a well-known, legitimate favicon generation library; appropriate dependency for a documentation prebuild tool.	ai	2026/04/26
dependencies	unvetted-dep:sharp-ico	AI (dependencies): sharp-ico is a legitimate ICO format plugin for the sharp image library, which is also a direct dep; appropriate for favicon/image processing in prebuild.	ai	2026/04/26
phantom-deps	phantom-dep:openapi-types	AI (phantom-deps): Legitimate types-only package; phantom detection expected for type-only imports in TypeScript projects.	ai	2026/04/26
phantom-deps	phantom-dep:unist-util-visit	AI (phantom-deps): Legitimate unist utility; phantom detection likely due to indirect usage pattern in TypeScript build.	ai	2026/04/26
dependencies	unvetted-dep:@mintlify/common	AI (dependencies): Same-org scoped package from Mintlify; expected internal dependency across all @mintlify/* packages.	ai	2026/04/25
phantom-deps	phantom-dep:@mintlify/openapi-parser	AI (phantom-deps): Same-org package; phantom dep finding is a code quality note, not a security risk for this package.	ai	2026/04/25
dependencies	unvetted-dep:@mintlify/openapi-parser	AI (dependencies): Same-org scoped package from Mintlify; expected internal dependency across all @mintlify/* packages.	ai	2026/04/25
dependencies	unvetted-dep:@mintlify/validation	AI (dependencies): Same-org scoped package from Mintlify; expected internal dependency across all @mintlify/* packages.	ai	2026/04/25
dependencies	unvetted-dep:@mintlify/scraping	AI (dependencies): Same-org scoped package from Mintlify; expected internal dependency across all @mintlify/* packages.	ai	2026/04/25