← Home

domhandler

npm Repository Homepage

Handler for htmlparser2 that turns pages into a dom

7
Versions
BSD-2-Clause
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

fb55

Keywords

domhtmlparser2

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
maintainer-change maintainer-takeover AI (maintainer-change): fb55 and feedic are the same person (Felix Boehm); feedic is his email domain, fb55 is his GitHub handle. Not a takeover. ai
maintainer-change maintainer-added AI (maintainer-change): fb55 is the original author consolidating npm accounts; same person as feedic. ai
maintainer-change maintainer-removed AI (maintainer-change): feedic account replaced by fb55 account; same person (Felix Boehm). ai
provenance publisher-changed AI (provenance): Publishing moved to GitHub Actions CI/CD with SLSA provenance from the canonical fb55/domhandler repo. ai
publish-pattern dormant-publish AI (publish-pattern): Major version bump (v6) after stable v4/v5 period; expected for mature packages with infrequent releases. ai
dependencies unvetted-dep:domelementtype AI (dependencies): domelementtype is a sibling package in the fb55/htmlparser2 ecosystem; it is a natural and expected dependency for domhandler across all versions. ai

Versions (showing 7 of 7)

Version Deps Published
6.0.1 1 / 12
6.0.0 1 / 12
5.0.3 1 / 11
5.0.2 1 / 11
5.0.1 1 / 11
5.0.0 1 / 11
4.2.2 1 / 11

v6.0.0

3 findings
HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (feedic) were replaced by new maintainers (fb55). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: feedic → GitHub Actions (on 2026-03-17) provenance

This version was published by a different npm account than previous versions on 2026-03-17. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.2.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.