All diagram-js versions

[email protected] rejected Risk: 38 No license

diagram-js @15.14.0

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
38
Risk Score
License
No
Install Scripts
9
Dependencies
26
Dev Dependencies
224.8 KB
Package Size
Published

Maintainers

bpmn-io-adminnikkubarmacphilippfrommemaxtruskaiir-camundavsgoulartbarinalijarekdanielakev-camundaalekseymanetovsimon-steinruecken-camunda

Keywords

modelermodelingcanvasdiagram-js

Dependencies (9)

PackageConstraintRegistry Status
clsx ^2.1.1 auto_approved
didi ^11.0.0 auto_approved
min-dom ^5.3.0 auto_approved
min-dash ^5.0.0 auto_approved
tiny-svg ^4.1.4 auto_approved
object-refs ^0.4.0 auto_approved
inherits-browser ^0.1.0 auto_approved
path-intersection ^4.1.0 auto_approved
@bpmn-io/diagram-js-ui ^0.2.3 auto_approved

Dev Dependencies (26)

PackageConstraintRegistry Status
chai ^6.0.0 auto_approved
karma ^6.4.4 auto_approved
mocha ^11.0.0 auto_approved
sinon ^21.0.0 auto_approved
eslint ^9.39.2 auto_approved
jquery ^4.0.0 auto_approved
bio-dts ^0.11.0 Not imported
del-cli ^7.0.0 auto_approved
webpack ^5.104.1 auto_approved
puppeteer ^24.42.0 auto_approved
sinon-chai ^4.0.0 auto_approved
typescript ^5.9.3 auto_approved
@babel/core ^7.28.6 auto_approved
karma-mocha ^2.0.1 auto_approved
babel-loader ^10.0.0 No greenflagged match
npm-run-all2 ^8.0.4 auto_approved
@bpmn-io/a11y ^0.1.0 Not imported
karma-webpack ^5.0.1 auto_approved
karma-coverage ^2.2.1 auto_approved
babel-plugin-istanbul ^8.0.0 auto_approved
eslint-plugin-bpmn-io ^2.2.0 Not imported
karma-safari-launcher ^1.0.0 auto_approved
karma-firefox-launcher ^2.1.3 auto_approved
@testing-library/preact ^3.2.4 No greenflagged match
karma-chrome-launcher-2 ^3.3.0 auto_approved
mocha-test-container-support ^0.2.0 Not imported

Transitive Dependency Tree

12 transitive deps max depth 2
  ├─ @bpmn-io/diagram-js-ui ^0.2.3 → 0.2.3
  ├─ clsx ^2.1.1 → 2.1.1
  ├─ didi ^11.0.0 → 11.0.0
  ├─ inherits-browser ^0.1.0 → 0.1.0
  ├─ min-dash ^5.0.0 → 5.0.0
  ├─ min-dom ^5.3.0 → 5.3.0
  ├─ object-refs ^0.4.0 → 0.4.0
  ├─ path-intersection ^4.1.0 → 4.1.0
├─ tiny-svg ^4.1.4 → 4.1.4
  ├─ domify ^3.0.0
  ├─ htm ^3.1.1 → 3.1.1
  ├─ min-dash ^5.0.0 → 5.0.0
  ├─ preact ^10.11.2 → 10.29.2

Changes from v15.13.0

No metadata changes detected.

File Changes

0 added 0 removed 2 modified size delta: +.0 KB

Risk Dispositions (2 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
publisher-changed provenance reject AI AI (provenance): SPAM-FLAGGED publisher took over from nikku; generalizes to all future versions until legitimate maintainer is restored.
bogus-package bogus-package reject AI AI (bogus-package): Maintainer jarekdanielak is flagged as spam; stable reject signal for this package under this publisher.

SAST Findings (2)

HIGH Publisher changed: nikku → jarekdanielak (on 2026-04-30) provenance

This version was published by a different npm account than previous versions on 2026-04-30. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 38. Findings: 1 high (+25), 1 medium (+10), 1 low (+3), 1 info (+0).

Commit: f3b3a3513100 Browse source

Published to npm: