@mintlify/prebuild
Helpful functions for Mintlify's prebuild step
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are Mintlify employees (ruhanponnada, kathrynmintlify, kylefinken); org-internal change. | ai | |
| license | uncommon-license:Elastic-2.0 | AI (license): Elastic-2.0 is Mintlify's standard license across their packages. | ai | |
| provenance | publisher-changed | AI (provenance): Transition from individual account to GitHub Actions CI publishing; consistent with org CI/CD migration. | ai | |
| phantom-deps | phantom-dep:gray-matter | AI (phantom-deps): gray-matter is referenced in config files but not directly imported; consistent with other accepted phantom deps in this package. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is uncommon across npm (~12%); absence is not a security disqualifier for this established package. | ai | |
| phantom-deps | phantom-dep:front-matter | AI (phantom-deps): Legitimate package; phantom detection likely due to indirect/type-level usage in a TypeScript build context. | ai | |
| dependencies | unvetted-dep:favicons | AI (dependencies): favicons is a well-known, legitimate favicon generation library; appropriate dependency for a documentation prebuild tool. | ai | |
| dependencies | unvetted-dep:sharp-ico | AI (dependencies): sharp-ico is a legitimate ICO format plugin for the sharp image library, which is also a direct dep; appropriate for favicon/image processing in prebuild. | ai | |
| phantom-deps | phantom-dep:openapi-types | AI (phantom-deps): Legitimate types-only package; phantom detection expected for type-only imports in TypeScript projects. | ai | |
| phantom-deps | phantom-dep:unist-util-visit | AI (phantom-deps): Legitimate unist utility; phantom detection likely due to indirect usage pattern in TypeScript build. | ai | |
| dependencies | unvetted-dep:@mintlify/common | AI (dependencies): Same-org scoped package from Mintlify; expected internal dependency across all @mintlify/* packages. | ai | |
| phantom-deps | phantom-dep:@mintlify/openapi-parser | AI (phantom-deps): Same-org package; phantom dep finding is a code quality note, not a security risk for this package. | ai | |
| dependencies | unvetted-dep:@mintlify/openapi-parser | AI (dependencies): Same-org scoped package from Mintlify; expected internal dependency across all @mintlify/* packages. | ai | |
| dependencies | unvetted-dep:@mintlify/validation | AI (dependencies): Same-org scoped package from Mintlify; expected internal dependency across all @mintlify/* packages. | ai | |
| dependencies | unvetted-dep:@mintlify/scraping | AI (dependencies): Same-org scoped package from Mintlify; expected internal dependency across all @mintlify/* packages. | ai |
Versions (showing 100 of 549)
| Version | Deps | Published |
|---|---|---|
| 1.0.961 | 14 / 14 | |
| 1.0.960 | 14 / 14 | |
| 1.0.959 | 14 / 14 | |
| 1.0.958 | 14 / 14 | |
| 1.0.957 | 14 / 14 | |
| 1.0.956 | 14 / 14 | |
| 1.0.955 | 14 / 14 | |
| 1.0.954 | 14 / 14 | |
| 1.0.953 | 14 / 14 | |
| 1.0.952 | 14 / 14 | |
| 1.0.951 | 14 / 14 | |
| 1.0.950 | 14 / 14 | |
| 1.0.949 | 14 / 14 | |
| 1.0.948 | 14 / 14 | |
| 1.0.947 | 14 / 14 | |
| 1.0.946 | 14 / 14 | |
| 1.0.945 | 14 / 14 | |
| 1.0.944 | 14 / 14 | |
| 1.0.943 | 14 / 14 | |
| 1.0.942 | 14 / 14 | |
| 1.0.941 | 14 / 14 | |
| 1.0.940 | 14 / 14 | |
| 1.0.939 | 14 / 14 | |
| 1.0.938 | 14 / 14 | |
| 1.0.937 | 14 / 14 | |
| 1.0.936 | 14 / 14 | |
| 1.0.935 | 14 / 14 | |
| 1.0.934 | 14 / 14 | |
| 1.0.933 | 14 / 14 | |
| 1.0.932 | 14 / 14 | |
| 1.0.931 | 14 / 14 | |
| 1.0.930 | 14 / 14 | |
| 1.0.929 | 14 / 14 | |
| 1.0.928 | 14 / 14 | |
| 1.0.927 | 14 / 14 | |
| 1.0.926 | 14 / 14 | |
| 1.0.925 | 14 / 14 | |
| 1.0.924 | 14 / 14 | |
| 1.0.923 | 14 / 14 | |
| 1.0.922 | 14 / 14 | |
| 1.0.921 | 14 / 14 | |
| 1.0.920 | 14 / 14 | |
| 1.0.919 | 14 / 14 | |
| 1.0.918 | 14 / 14 | |
| 1.0.917 | 14 / 14 | |
| 1.0.887 | 14 / 14 | |
| 1.0.874 | 14 / 14 | |
| 1.0.873 | 14 / 14 | |
| 1.0.872 | 14 / 14 | |
| 1.0.871 | 14 / 14 | |
| 1.0.870 | 14 / 14 | |
| 1.0.869 | 14 / 14 | |
| 1.0.868 | 14 / 14 | |
| 1.0.867 | 14 / 14 | |
| 1.0.866 | 14 / 14 | |
| 1.0.865 | 14 / 14 | |
| 1.0.864 | 14 / 14 | |
| 1.0.863 | 14 / 14 | |
| 1.0.862 | 14 / 14 | |
| 1.0.861 | 14 / 14 | |
| 1.0.860 | 14 / 14 | |
| 1.0.859 | 14 / 14 | |
| 1.0.858 | 14 / 14 | |
| 1.0.857 | 14 / 14 | |
| 1.0.856 | 14 / 14 | |
| 1.0.855 | 14 / 14 | |
| 1.0.854 | 14 / 14 | |
| 1.0.853 | 14 / 14 | |
| 1.0.852 | 14 / 14 | |
| 1.0.851 | 14 / 14 | |
| 1.0.850 | 14 / 14 | |
| 1.0.849 | 14 / 14 | |
| 1.0.848 | 14 / 14 | |
| 1.0.847 | 14 / 14 | |
| 1.0.846 | 14 / 14 | |
| 1.0.845 | 14 / 14 | |
| 1.0.844 | 14 / 14 | |
| 1.0.843 | 14 / 14 | |
| 1.0.842 | 14 / 14 | |
| 1.0.841 | 14 / 14 | |
| 1.0.840 | 14 / 14 | |
| 1.0.834 | 14 / 14 | |
| 1.0.833 | 14 / 14 | |
| 1.0.832 | 14 / 14 | |
| 1.0.831 | 14 / 14 | |
| 1.0.830 | 14 / 14 | |
| 1.0.829 | 14 / 14 | |
| 1.0.828 | 14 / 14 | |
| 1.0.827 | 14 / 14 | |
| 1.0.826 | 14 / 14 | |
| 1.0.825 | 14 / 14 | |
| 1.0.824 | 14 / 14 | |
| 1.0.823 | 14 / 14 | |
| 1.0.822 | 14 / 14 | |
| 1.0.821 | 14 / 14 | |
| 1.0.820 | 14 / 14 | |
| 1.0.819 | 14 / 14 | |
| 1.0.818 | 14 / 14 | |
| 1.0.817 | 14 / 14 | |
| 1.0.816 | 14 / 14 |
v1.0.961
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.960
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.959
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.958
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.957
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.956
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.955
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.954
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.953
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.952
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.951
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.950
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.949
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.948
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.947
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.946
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.945
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.944
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.943
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.942
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.941
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.940
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.939
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.938
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.937
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.936
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.935
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.934
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.933
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.932
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.931
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.930
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.929
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.928
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.927
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.926
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.925
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.924
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.923
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.922
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.921
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.920
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.919
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.918
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.917
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.887
2 findingsThis version was published by a different npm account than previous versions on 2026-02-23. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.874
2 findingsThis version was published by a different npm account than previous versions on 2026-02-19. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.873
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.872
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.871
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.870
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.869
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.868
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.867
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.866
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.865
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.864
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.863
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.862
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.861
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.860
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.859
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.858
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.857
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.856
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.855
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.854
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.853
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.852
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.851
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.850
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.849
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.848
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.847
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.846
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.845
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.844
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.843
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.842
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.841
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.840
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.834
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.833
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.832
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.831
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.830
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.829
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.828
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.827
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.826
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.825
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.824
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.823
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.822
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.821
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.820
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.819
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.818
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.817
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.816
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.