← Home

html5

npm Repository Homepage

HTML5 HTML parser, including support for SVG and MathML foreign content

37
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

aredridel

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:async AI (phantom-deps): async is referenced in config/test infrastructure, not directly imported in library source. Stable false positive for this package. ai
phantom-deps phantom-dep:tap AI (phantom-deps): tap is a test runner referenced in test config/scripts; not imported in runtime source. Stable false positive for this package. ai
phantom-deps phantom-dep:opts AI (phantom-deps): opts is a CLI options utility referenced in config files; not imported in runtime source. Stable false positive for this package. ai
phantom-deps phantom-dep:bench AI (phantom-deps): bench is a benchmarking utility referenced in config files; not imported in runtime source. Stable false positive for this package. ai
maintainer-change maintainer-removed AI (maintainer-change): Aria Stewart was replaced by their own aredridel account — same person, different npm username. Not a hostile removal. ai
maintainer-change maintainer-takeover AI (maintainer-change): aredridel is the original author Aria Stewart's own npm/GitHub handle ([email protected], github.com/aredridel). This is an identity consolidation, not a hostile takeover. ai
maintainer-change maintainer-added AI (maintainer-change): New maintainer aredridel is the same person as original author Aria Stewart per matching email and GitHub handle in package.json. ai
npm-metadata bundled-binaries AI (npm-metadata): The .node binary is libxmljs.node from the htmlparser dependency, a well-known native XML parsing library. Vendored in node_modules/.npm cache, consistent with legitimate DOM implementation tooling. ai
semgrep semgrep:child-process-import AI (semgrep): child_process usage is in tools/ronnjs/bin/ronn.js, a documentation generation dev tool that spawns 'man' to display man pages. Not in runtime library code. ai
bogus-package bogus-package AI (bogus-package): Very old package (~15 years) from early npm era; missing metadata fields were common then. Consistent downloads and approved-dep edges confirm legitimate ecosystem use. ai
semgrep semgrep:dynamic-require AI (semgrep): Flagged code is in bundled jsdom example/demo files using standard __dirname-relative path construction, not arbitrary dynamic module loading. Stable false positive for this package. ai
source-diff net-exec-file:doc/jquery.js AI (source-diff): doc/jquery.js is jQuery v1.4.2, a well-known library used as a documentation asset. Network+exec pattern is jQuery's standard AJAX script loading, not malware. ai
source-diff net-exec-file:doc/sh_main.js AI (source-diff): doc/sh_main.js is SHJS syntax highlighter, a legitimate open-source library. eval() is its documented mechanism for loading language definitions dynamically. ai
semgrep semgrep:new-function-constructor AI (semgrep): Fires in doc/jquery.js, a bundled jQuery documentation asset. new Function() is standard jQuery internals, not runtime library code. ai
semgrep semgrep:eval-usage AI (semgrep): Fires in doc/sh_main.js, a syntax highlighter documentation asset. eval() is a known pattern in older syntax highlighters for lazy-loading; not in runtime library code. ai

Versions (showing 37 of 37)

Version Deps Published
1.0.5 3 / 3
1.0.4 3 / 3
1.0.3 3 / 3
1.0.2 3 / 3
1.0.1 3 / 3
1.0.0 3 / 3
0.4.1 3 / 3
0.4.0 3 / 3
0.3.16 3 / 3
0.3.15 3 / 3
0.3.14 3 / 3
0.3.13 3 / 3
0.3.12 3 / 3
0.3.11 3 / 3
0.3.10 3 / 3
0.3.9 6 / 1
0.3.8 5 / 0
0.3.7 5 / 0
0.3.5 3 / 0
0.3.4 3 / 0
0.3.2 2 / 0
0.3.1 2 / 0
0.3.0 2 / 0
0.2.16 2 / 0
0.2.15 2 / 0
0.2.14 2 / 0
0.2.13 2 / 0
0.2.12 2 / 0
0.2.11 2 / 0
0.2.10 2 / 0
0.2.9 2 / 0
0.2.7 2 / 0
0.2.6 2 / 0
0.2.5 2 / 0
0.2.4 2 / 0
0.2.3 2 / 0
0.2.2 0 / 0

v1.0.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.16

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.15

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.14

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.13

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.12

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.11

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.10

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.1

2 findings
HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (aria stewart) were replaced by new maintainers (aredridel). This is a strong signal of a potential package hijack and requires careful review.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.16

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.15

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.14

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.13

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.12

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.11

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.10

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.9

3 findings
HIGH New file with network + code execution: doc/jquery.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: doc/sh_main.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.7

3 findings
HIGH New file with network + code execution: doc/jquery.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: doc/sh_main.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.6

2 findings
HIGH Bundled binary files (2) npm-metadata

Package contains compiled binaries that could be backdoors: • node_modules/.npm/htmlparser/1.7.3/package/libxmljs.node • node_modules/.npm/.cache/htmlparser/1.7.3/package/libxmljs.node

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.