mdast-util-gfm-autolink-literal
mdast extension to parse and serialize GFM autolink literals
1
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
wooormkmck
Keywords
unistmdastmdast-utilutilutilitymarkdownmarkupautolinkautolinkliteralurlrawgfm
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:ccount | AI (dependencies): ccount is a well-known utility from the unified/syntax-tree ecosystem by wooorm; stable legitimate dependency for this package. | ai | |
| dependencies | unvetted-dep:devlop | AI (dependencies): devlop is a standard development-mode utility from the unified ecosystem by wooorm; stable legitimate dependency. | ai | |
| dependencies | unvetted-dep:@types/mdast | AI (dependencies): @types/mdast is the official TypeScript types for mdast; expected dependency in this ecosystem. | ai | |
| phantom-deps | phantom-dep:@types/mdast | AI (phantom-deps): TypeScript type packages are commonly declared as runtime deps for consumers in the unified ecosystem; not a real phantom dependency issue. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Inflated semver is explained by ecosystem convention (major version continuity); mass-production signal references a different maintainer (kmck), not the actual publisher wooorm. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 2.0.1 | 5 / 13 |