hast-util-raw — Greenflagged

hast utility to reparse a tree

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

wooormkmck

Keywords

hast-utilhasthtmlunistutilityutilparseraw

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-removed	AI (maintainer-change): wooorm (Titus Wormer) is the primary maintainer of the unified/syntax-tree ecosystem; removal of co-maintainers is routine housekeeping, not a takeover signal.	ai	2026/04/22
phantom-deps	phantom-dep:@types/parse5	AI (phantom-deps): @types/* packages are TypeScript type definitions; declaring them as deps is a common pattern in TS-first packages with no security implication.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): kmck and murderlon are known contributors in the unified/syntax-tree ecosystem; addition reflects legitimate collaborative maintenance, not a hostile takeover.	ai	2026/04/22
source-diff	source-size-tripled	AI (source-diff): Size increase from 7KB to 22KB reflects expanded functionality in a major version bump; no obfuscation or injected payload indicators present.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): New deps (extend, unist-util-visit, mdast-util-to-hast) are established unified-ecosystem packages added as part of a legitimate major version bump by a trusted maintainer.	ai	2026/04/22
dependencies	unvetted-dep:html-void-elements	AI (dependencies): html-void-elements is a standard utility in the unified ecosystem; legitimate dependency.	ai	2026/04/22
dependencies	unvetted-dep:hast-util-to-parse5	AI (dependencies): hast-util-to-parse5 is a core syntax-tree package; legitimate dependency.	ai	2026/04/22
dependencies	unvetted-dep:unist-util-position	AI (dependencies): unist-util-position is a core unified ecosystem package; legitimate dependency.	ai	2026/04/22
dependencies	unvetted-dep:hast-util-from-parse5	AI (dependencies): hast-util-from-parse5 is a core syntax-tree package; legitimate dependency.	ai	2026/04/22
dependencies	unvetted-dep:@ungap/structured-clone	AI (dependencies): @ungap/structured-clone is a well-known polyfill package; legitimate dependency for cross-environment compatibility.	ai	2026/04/22
dependencies	unvetted-dep:mdast-util-to-hast	AI (dependencies): mdast-util-to-hast is a core unified/syntax-tree package; legitimate dependency.	ai	2026/04/22
dependencies	unvetted-dep:vfile	AI (dependencies): vfile is a core unified ecosystem package maintained by the same community; legitimate dependency for this package.	ai	2026/04/22
dependencies	unvetted-dep:zwitch	AI (dependencies): zwitch is a well-known utility in the unified ecosystem; legitimate dependency.	ai	2026/04/22
dependencies	unvetted-dep:web-namespaces	AI (dependencies): web-namespaces is a standard utility in the unified/syntax-tree ecosystem; legitimate dependency.	ai	2026/04/22
dependencies	unvetted-dep:unist-util-visit	AI (dependencies): unist-util-visit is a core unified ecosystem package; legitimate dependency.	ai	2026/04/22
dependencies	unvetted-dep:@types/hast	AI (dependencies): TypeScript type definitions are standard dependencies for typed libraries; @types/hast is a legitimate peer type definition.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Package predates widespread Sigstore provenance adoption on npm; wooorm is a highly trusted publisher with a long track record and zero rejections.	ai	2026/04/22
phantom-deps	phantom-dep:@types/unist	AI (phantom-deps): @types/unist is a TypeScript type package; declaring it as a dependency without direct import is a standard pattern for providing types to consumers.	ai	2026/04/21
phantom-deps	phantom-dep:@types/hast	AI (phantom-deps): Type definitions are framework-scoped and loaded by convention; not a functional phantom dependency.	ai	2026/04/21