hast-util-phrasing — Greenflagged

hast utility to check if a node is phrasing content

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

wooormkmck

Keywords

unisthasthast-utilutilutilityhtmlcategoryphrasing

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): @types/hast is a TypeScript type definitions package; adding it as a runtime dep is standard practice in the syntax-tree/unified ecosystem for type re-exports. Not a supply chain risk.	ai	2026/04/24
dependencies	unvetted-dep:@types/hast	AI (dependencies): @types/hast is the standard TypeScript type package for hast, a core dependency in the syntax-tree ecosystem. Expected and legitimate for this package.	ai	2026/04/23
phantom-deps	phantom-dep:@types/hast	AI (phantom-deps): @types/hast provides TypeScript types used at compile time, not via direct import. Framework-scoped usage is correct and expected for this package.	ai	2026/04/23
bogus-package	bogus-package	AI (bogus-package): Mass-production signal references wrong maintainer (kmck vs wooorm). Empty main is normal ESM re-export pattern in the unified/syntax-tree ecosystem. Package has 1.5M weekly downloads and is a legitimate utility.	ai	2026/04/23

Versions (showing 11 of 11)

Version	Deps	Published
3.0.1	5 / 10	2023-08-30
3.0.0	5 / 10	2023-08-02
2.0.2	5 / 10	2023-01-06
2.0.1	4 / 12	2022-05-27
2.0.0	4 / 12	2021-04-26
1.0.5	4 / 10	2020-02-28
1.0.4	4 / 10	2019-05-25
1.0.3	4 / 10	2019-05-25
1.0.2	4 / 10	2018-11-07
1.0.1	4 / 10	2018-06-11
1.0.0	4 / 9	2016-09-27