docz-core
All docz core logic of bundle and parsing is included on this package
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Consistent with publisher/environment change during v2 major rewrite; not independently suspicious. | ai | |
| provenance | no-provenance | AI (provenance): Published in 2019, before Sigstore provenance was available on npm. | ai | |
| phantom-deps | phantom-dep:react-docgen-external-proptypes-handler | AI (phantom-deps): Legitimate react-docgen handler; phantom detection reflects indirect/config usage in docz-core's component parsing pipeline. | ai | |
| provenance | publisher-changed | AI (provenance): rakannimer is a known docz co-maintainer; the 2019 transition from pedronauck is a documented legitimate handoff for the docz project, not a compromise. | ai | |
| phantom-deps | phantom-dep:latest-version | AI (phantom-deps): latest-version is a legitimate utility; phantom detection reflects indirect usage pattern in this package. | ai | |
| phantom-deps | phantom-dep:ora | AI (phantom-deps): ora is a legitimate spinner library; phantom detection likely reflects indirect/config usage in this package's build tooling. | ai | |
| dependencies | unvetted-dep:html-minifier | AI (dependencies): html-minifier is a well-known, widely-used library; its use in a documentation framework is expected and benign. Stable false positive for this package. | ai | |
| dependencies | unvetted-dep:wait-on | AI (dependencies): wait-on is a legitimate utility used in dev toolchains to wait for ports/resources; its use in docz-core is appropriate and consistent across versions. | ai | |
| bogus-package | bogus-package | AI (bogus-package): docz-core is a well-established package (2887 days, 212 versions). Missing metadata fields are a quality issue, not a security signal. | ai | |
| phantom-deps | phantom-dep:serve | AI (phantom-deps): serve is used as a CLI/subprocess tool in docz-core, not directly imported. This is expected behavior for a static file server dependency in a docs build tool. | ai | |
| phantom-deps | phantom-dep:acorn | AI (phantom-deps): acorn is a parser dependency loaded indirectly via webpack/babel toolchain; phantom detection is a false positive for this build framework. | ai | |
| phantom-deps | phantom-dep:@babel/polyfill | AI (phantom-deps): Framework-scoped babel polyfill loaded by convention; phantom detection is a false positive for this build tool. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): Framework-scoped babel runtime loaded by convention; phantom detection is a false positive for this build tool. | ai | |
| phantom-deps | phantom-dep:@svgr/webpack | AI (phantom-deps): webpack loader loaded via config rather than direct import; standard pattern for webpack plugins in build tools. | ai | |
| phantom-deps | phantom-dep:remark-parse | AI (phantom-deps): remark-parse is part of docz's MDX/remark processing pipeline, loaded via config; phantom detection is a false positive. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Framework-scoped package loaded by convention in babel/webpack pipeline; phantom detection is expected for this build tool. | ai | |
| phantom-deps | phantom-dep:recast | AI (phantom-deps): recast is used indirectly in docz-core's AST transformation pipeline; not directly imported but legitimately used. | ai | |
| phantom-deps | phantom-dep:webpack-hot-client | AI (phantom-deps): webpack-hot-client is loaded via webpack config rather than direct import; standard pattern for webpack plugins. | ai |
Versions (showing 73 of 73)
| Version | Deps | Published |
|---|---|---|
| 2.4.0 | 33 / 0 | |
| 2.3.0 | 30 / 11 | |
| 2.2.0 | 30 / 11 | |
| 2.1.1 | 30 / 11 | |
| 2.1.0 | 30 / 11 | |
| 2.0.0 | 30 / 11 | |
| 1.2.0 | 62 / 13 | |
| 1.1.0 | 61 / 12 | |
| 1.0.4 | 62 / 12 | |
| 1.0.1 | 62 / 12 | |
| 0.13.7 | 62 / 5 | |
| 0.13.6 | 62 / 5 | |
| 0.13.5 | 62 / 0 | |
| 0.13.4 | 61 / 0 | |
| 0.13.3 | 61 / 0 | |
| 0.13.2 | 61 / 0 | |
| 0.13.1 | 61 / 0 | |
| 0.13.0 | 61 / 0 | |
| 0.12.16 | 66 / 18 | |
| 0.12.15 | 66 / 18 | |
| 0.12.14 | 66 / 18 | |
| 0.12.13 | 67 / 18 | |
| 0.12.12 | 65 / 18 | |
| 0.12.11 | 65 / 18 | |
| 0.12.10 | 64 / 18 | |
| 0.12.9 | 64 / 17 | |
| 0.12.8 | 64 / 17 | |
| 0.12.7 | 64 / 18 | |
| 0.12.6 | 64 / 18 | |
| 0.12.5 | 64 / 18 | |
| 0.12.2 | 64 / 18 | |
| 0.11.2 | 70 / 18 | |
| 0.11.1 | 71 / 18 | |
| 0.11.0 | 71 / 19 | |
| 0.10.3 | 76 / 20 | |
| 0.10.2 | 76 / 20 | |
| 0.10.1 | 76 / 20 | |
| 0.10.0 | 76 / 20 | |
| 0.9.6 | 72 / 20 | |
| 0.9.4 | 72 / 20 | |
| 0.9.3 | 72 / 20 | |
| 0.9.2 | 72 / 20 | |
| 0.9.1 | 72 / 20 | |
| 0.9.0 | 72 / 20 | |
| 0.8.0 | 67 / 20 | |
| 0.7.0 | 67 / 20 | |
| 0.6.2 | 69 / 20 | |
| 0.6.0 | 68 / 20 | |
| 0.5.9 | 66 / 19 | |
| 0.5.7 | 66 / 19 | |
| 0.5.6 | 66 / 19 | |
| 0.5.5 | 63 / 19 | |
| 0.5.4 | 63 / 19 | |
| 0.5.2 | 63 / 19 | |
| 0.5.1 | 63 / 19 | |
| 0.5.0 | 63 / 19 | |
| 0.4.0 | 63 / 19 | |
| 0.3.4 | 62 / 19 | |
| 0.3.3 | 62 / 19 | |
| 0.3.2 | 61 / 20 | |
| 0.3.1 | 61 / 20 | |
| 0.2.11 | 60 / 20 | |
| 0.2.10 | 60 / 20 | |
| 0.2.9 | 60 / 20 | |
| 0.2.8 | 60 / 20 | |
| 0.2.7 | 60 / 20 | |
| 0.2.6 | 60 / 20 | |
| 0.2.4 | 60 / 20 | |
| 0.2.3 | 59 / 20 | |
| 0.2.2 | 59 / 20 | |
| 0.2.0 | 59 / 20 | |
| 0.1.1 | 55 / 20 | |
| 0.1.0 | 55 / 20 |
v2.4.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-11. This could indicate a legitimate maintainer transition or an account compromise.
v2.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
2 findingsThis version was published by a different npm account than previous versions on 2019-11-27. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rakannimer.
This version was published by a different npm account than previous versions on 2019-11-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.