commonmark
a strongly specified, highly compatible variant of Markdown
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:lib/normalize-reference.ts | AI (source-diff): Long lines are a Unicode case-folding regex derived from the fold-case library (MIT licensed, credited in file header). This is expected for CommonMark Unicode normalization, not obfuscation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 814 new files are bower_components vendor trees for dingus demo and bench directories. Explained by legitimate vendoring of ace, bootstrap, lodash, etc. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process in Ace editor tool/update_deps.js — a developer tool script in vendored bower_components, not runtime code. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase from 109KB to 17MB is entirely due to vendored bower_components (ace editor ~10MB+, bootstrap, lodash, etc.) in demo/bench directories. | ai | |
| source-diff | obfuscated-file:dingus/ace.js | AI (source-diff): Minified Ace editor — canonical code editor library. Long lines are minification, not obfuscation. Stable false positive for this package. | ai | |
| source-diff | net-exec-file:dingus/bower_components/ace/demo/kitchen-sink/demo.js | AI (source-diff): Ace editor demo file vendored in dingus/ demo directory. Legitimate library code, not runtime package code. | ai | |
| semgrep | semgrep:dll-injection-apis | AI (semgrep): Finding is a keyword match against AutoHotKey syntax highlighting rule string literals in Ace editor source — not actual DLL injection code. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in RequireJS req.exec() within vendored Ace demo bower_components — well-known legitimate pattern, not runtime package code. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() in Ace editor experiments/worker.js — vendored demo code, not runtime package code. | ai | |
| source-diff | net-exec-file:bench/bower_components/benchmark/benchmark.js | AI (source-diff): Legitimate vendored Benchmark.js v1.0.0 library in bench/bower_components; UMD wrapper pattern misidentified as dropper. Stable false positive for this package. | ai | |
| source-diff | net-exec-file:bench/bower_components/markdown-it/dist/markdown-it.js | AI (source-diff): Legitimate vendored markdown-it 3.0.6 dist bundle in bench/bower_components; UMD wrapper misidentified as dropper. Stable false positive for this package. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size reduction reflects packaging cleanup (removal of test fixtures/spec files); the dist bundle was added simultaneously. Benign reorganization for this package. | ai | |
| source-diff | obfuscated-file:dist/commonmark.js | AI (source-diff): dist/commonmark.js is a standard UMD/browserify bundle for the commonmark browser build; long lines are expected minification, not obfuscation. Stable for this package. | ai | |
| provenance | no-provenance | AI (provenance): Established package (4188 days old) predating Sigstore provenance attestation. No provenance is expected for this package's publishing workflow. | ai | |
| source-diff | obfuscated-file:lib/normalize-reference.js | AI (source-diff): File contains a Unicode case-folding/normalization regex table derived from fold-case by Mathias Bynens. Long lines are dense Unicode char class ranges, not obfuscation. Legitimate and expected for this library. | ai | |
| source-diff | obfuscated-file:bower_components/markdown-it/dist/markdown-it.js | AI (source-diff): This is the standard minified/bundled distribution of markdown-it 4.3.0 (MIT). Long lines are from browserify bundling, not obfuscation. Safe for this package's demo/dingus component. | ai | |
| source-diff | net-exec-file:bower_components/markdown-it/dist/markdown-it.js | AI (source-diff): The 'network + exec' pattern is the standard UMD wrapper in the markdown-it browser bundle. No actual network calls or malicious dynamic execution present. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Fires in vendored benchmark fixture (bench/bower_components/showdown). Not part of the package's runtime code; stable false positive for this package. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP is 127.0.0.1 (localhost) in a vendored Bootstrap Gruntfile used for local test running. Completely benign; stable false positive for this package. | ai |
Versions (showing 29 of 29)
| Version | Deps | Published |
|---|---|---|
| 0.31.2 | 3 / 18 | |
| 0.31.1 | 3 / 18 | |
| 0.31.0 | 4 / 18 | |
| 0.30.0 | 4 / 18 | |
| 0.29.3 | 4 / 18 | |
| 0.29.2 | 4 / 19 | |
| 0.29.1 | 4 / 12 | |
| 0.29.0 | 4 / 11 | |
| 0.28.1 | 4 / 0 | |
| 0.28.0 | 4 / 0 | |
| 0.27.0 | 4 / 0 | |
| 0.26.0 | 4 / 0 | |
| 0.25.1 | 4 / 0 | |
| 0.25.0 | 4 / 0 | |
| 0.24.0 | 3 / 0 | |
| 0.23.0 | 3 / 0 | |
| 0.22.1 | 3 / 0 | |
| 0.22.0 | 3 / 0 | |
| 0.21.0 | 3 / 0 | |
| 0.20.0 | 0 / 0 | |
| 0.19.0 | 0 / 0 | |
| 0.18.2 | 0 / 0 | |
| 0.18.1 | 0 / 0 | |
| 0.17.1 | 0 / 0 | |
| 0.17.0 | 0 / 0 | |
| 0.16.0 | 0 / 0 | |
| 0.15.0 | 0 / 0 | |
| 0.12.0 | 0 / 0 | |
| 0.9.0 | 0 / 0 |
v0.31.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.29.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.29.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.29.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.29.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.25.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.25.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.23.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.20.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.18.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.18.1
6 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
DLL injection API detected — potential process injection attack Source: https://github.com/jgm/commonmark.js/blob/9cc03545c2bdf57e1f23958b71e18789fb954d42/dingus/bower_components/ace/lib/ace/mode/autohotkey_highlight_rules.js#L46 44 | var autoItKeywords = 'And|ByRef|Case|Const|ContinueCase|ContinueLoop|Default|Dim|Do|Else|ElseIf|EndFunc|EndIf|EndSel 45 | 'Abs|ACos|AdlibDisable|AdlibEnable|Asc|AscW|ASin|Assign|ATan|AutoItSetOption|AutoItWinGetTitle|AutoItWinSetTitle > 46 | 'ArrayAdd|ArrayBinarySearch|ArrayConcatenate|ArrayDelete|ArrayDisplay|ArrayFindAll|ArrayInsert|ArrayMax|ArrayMax 47 | 'ce|comments-end|comments-start|cs|include|include-once|NoTrayIcon|RequireAdmin|' + 48 | 'AutoIt3Wrapper_Au3Check_Parameters|AutoIt3Wrapper_Au3Check_Stop_OnWarning|AutoIt3Wrapper_Change2CUI|AutoIt3Wrap
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.