html-dom-parser — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

remarkablemark

Keywords

html-dom-parserhtmldomparserhtmlparser2pojo

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	encoded-string-file:dist/htmlparser2.js	AI (source-diff): Long encoded string is the htmlparser2 HTML entity decode trie (base64-packed lookup table), a stable legitimate pattern for this package.	ai	2026/05/06
source-diff	obfuscated-file:esm/node_modules/entities/dist/esm/generated/decode-data-html.mjs	AI (source-diff): Base64-encoded HTML entity decode table generated by entities package build scripts; not malicious.	ai	2026/05/02
source-diff	source-size-tripled	AI (source-diff): Size increase due to bundling htmlparser2 and entities deps into the package; expected for this build change.	ai	2026/05/02
source-diff	large-new-source-files	AI (source-diff): New files are bundled dependency outputs (rollup build artifacts); not injected payloads.	ai	2026/05/02
source-diff	obfuscated-file:esm/node_modules/entities/dist/generated/decode-data-html.mjs	AI (source-diff): Known base64-encoded HTML decode trie from the entities package; not obfuscation.	ai	2026/05/02
source-diff	obfuscated-file:dist/htmlparser2.js	AI (source-diff): UMD bundle of htmlparser2 dep produced by rollup; long lines are minified but not malicious.	ai	2026/05/02
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decode is part of htmlparser2 bundled utility for binary encoding; not a malicious payload pattern.	ai	2026/05/02

Versions (showing 9 of 9)

Version	Deps	Published
7.1.0	2 / 37	2026-05-05
7.0.1	2 / 37	2026-04-07
7.0.0	2 / 37	2026-03-30
6.0.0	2 / 37	2026-03-20
5.1.8	2 / 36	2026-02-06
5.1.7	2 / 42	2026-01-30
5.1.5	2 / 41	2026-01-26
5.1.4	2 / 41	2026-01-23
5.1.2	2 / 41	2025-11-16

v7.1.0

2 findings

HIGH Long encoded string in modified file: dist/htmlparser2.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.0

3 findings

HIGH New obfuscated file: dist/htmlparser2.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: esm/node_modules/entities/dist/generated/decode-data-html.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.1.8

3 findings

HIGH New obfuscated file: dist/htmlparser2.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: esm/node_modules/entities/dist/esm/generated/decode-data-html.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.1.7

3 findings

HIGH New obfuscated file: dist/htmlparser2.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: esm/node_modules/entities/dist/esm/generated/decode-data-html.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.1.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.1.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.1.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.