mdast-util-definitions
mdast utility to find definition nodes in a tree
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): @types/mdast and @types/unist are TypeScript type packages directly relevant to this mdast utility; adding them is benign and consistent with the package's TypeScript migration pattern. | ai | |
| dependencies | unvetted-dep:@types/mdast | AI (dependencies): @types/mdast is a standard DefinitelyTyped type package used legitimately in the unified/mdast ecosystem for TypeScript type exports; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/mdast | AI (phantom-deps): @types/mdast is a TypeScript type dependency used for type declarations, not direct JS imports; this pattern is expected and stable for this package. | ai | |
| phantom-deps | phantom-dep:@types/unist | AI (phantom-deps): @types/unist is a TypeScript type dependency used for type declarations, not direct JS imports; this pattern is expected and stable for this package. | ai |
Versions (showing 20 of 20)
| Version | Deps | Published |
|---|---|---|
| 6.0.0 | 3 / 9 | |
| 5.1.2 | 3 / 9 | |
| 5.1.1 | 3 / 11 | |
| 5.1.0 | 3 / 11 | |
| 5.0.0 | 3 / 11 | |
| 4.0.0 | 1 / 11 | |
| 3.0.1 | 1 / 11 | |
| 3.0.0 | 2 / 10 | |
| 2.0.1 | 1 / 9 | |
| 2.0.0 | 1 / 9 | |
| 1.2.5 | 1 / 9 | |
| 1.2.4 | 1 / 9 | |
| 1.2.3 | 1 / 9 | |
| 1.2.2 | 1 / 8 | |
| 1.2.1 | 2 / 8 | |
| 1.2.0 | 2 / 8 | |
| 1.1.1 | 1 / 14 | |
| 1.1.0 | 1 / 13 | |
| 1.0.0 | 1 / 13 | |
| 0.1.0 | 1 / 11 |
v6.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.