mdast-util-to-hast
mdast utility to transform to hast
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:normalize-uri | AI (dependencies): normalize-uri is a wooorm-authored utility consistent with the rest of this package's dependency ecosystem; no malicious signals. | ai | |
| provenance | no-provenance | AI (provenance): Mature package from established publisher; provenance absence is acceptable for this ecosystem context. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are type definitions and micromark-util-sanitize-uri; legitimate additions for improved type safety and URI handling. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are TypeScript-generated type definitions (.d.ts); expected output from build system upgrade. | ai | |
| phantom-deps | phantom-dep:@types/mdurl | AI (phantom-deps): Type definitions loaded by TypeScript convention; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:@types/mdurl | AI (dependencies): @types/mdurl is a TypeScript type definition package for mdurl (already a runtime dep); legitimate and low-risk for this TypeScript library package. | ai | |
| dependencies | unvetted-dep:mdast-util-definitions | AI (dependencies): mdast-util-definitions is a well-known mdast utility from the same unified/syntax-tree ecosystem authored by wooorm; not a suspicious dependency. | ai | |
| dependencies | unvetted-dep:unist-util-generated | AI (dependencies): unist-util-generated is a well-known utility from the same unified/syntax-tree ecosystem authored by wooorm; not a suspicious dependency. | ai | |
| phantom-deps | phantom-dep:@types/unist | AI (phantom-deps): @types/unist is a TypeScript type package used by convention in the unist ecosystem; not a real runtime phantom dependency concern for this package. | ai | |
| dependencies | unvetted-dep:@types/mdast | AI (dependencies): Type definitions from DefinitelyTyped ecosystem are standard practice; conservative version constraint. | ai | |
| dependencies | unvetted-dep:devlop | AI (dependencies): devlop is a wooorm/unified-ecosystem utility package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:trim-lines | AI (dependencies): trim-lines is a wooorm/unified-ecosystem utility; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:unist-util-visit | AI (dependencies): unist-util-visit is a core unified/syntax-tree utility; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:micromark-util-sanitize-uri | AI (dependencies): micromark-util-sanitize-uri is part of the micromark ecosystem by wooorm; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@types/hast | AI (dependencies): Type definitions for hast; standard dependency for TypeScript-based markdown utilities. | ai | |
| phantom-deps | phantom-dep:@types/mdast | AI (phantom-deps): Type definitions loaded by TypeScript convention; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@types/hast | AI (phantom-deps): Type definitions loaded by TypeScript convention; stable pattern for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Inflated semver reflects a long-established package (v13.x is legitimate progression). Mass-production signal references a different maintainer (kmck), not the primary publisher wooorm. Both signals are false positives for this package. | ai |
Versions (showing 51 of 55)
| Version | Deps | Published |
|---|---|---|
| 13.2.1 | 9 / 14 | |
| 12.3.0 | 8 / 13 | |
| 12.2.6 | 9 / 14 | |
| 12.2.5 | 9 / 14 | |
| 12.2.4 | 9 / 14 | |
| 12.2.3 | 9 / 14 | |
| 12.2.2 | 11 / 14 | |
| 12.2.1 | 11 / 14 | |
| 12.2.0 | 11 / 14 | |
| 12.1.2 | 11 / 14 | |
| 12.1.1 | 10 / 14 | |
| 12.1.0 | 10 / 14 | |
| 12.0.0 | 10 / 14 | |
| 11.3.0 | 9 / 16 | |
| 11.2.1 | 9 / 16 | |
| 11.2.0 | 9 / 10 | |
| 11.1.1 | 10 / 10 | |
| 11.1.0 | 10 / 10 | |
| 11.0.0 | 10 / 10 | |
| 10.2.0 | 8 / 9 | |
| 10.1.1 | 8 / 9 | |
| 10.1.0 | 8 / 9 | |
| 10.0.1 | 8 / 9 | |
| 10.0.0 | 8 / 9 | |
| 9.1.2 | 8 / 9 | |
| 9.1.1 | 8 / 9 | |
| 9.1.0 | 11 / 9 | |
| 9.0.1 | 9 / 10 | |
| 9.0.0 | 10 / 9 | |
| 8.2.0 | 9 / 8 | |
| 8.1.0 | 9 / 8 | |
| 8.0.0 | 9 / 8 | |
| 7.0.0 | 9 / 8 | |
| 6.0.2 | 11 / 8 | |
| 6.0.1 | 11 / 8 | |
| 6.0.0 | 11 / 8 | |
| 5.0.0 | 11 / 8 | |
| 4.0.0 | 11 / 8 | |
| 3.0.4 | 11 / 8 | |
| 3.0.3 | 11 / 8 | |
| 3.0.2 | 11 / 8 | |
| 3.0.1 | 11 / 8 | |
| 3.0.0 | 11 / 7 | |
| 2.5.0 | 11 / 7 | |
| 2.4.3 | 11 / 7 | |
| 2.4.2 | 11 / 7 | |
| 2.4.1 | 11 / 7 | |
| 2.4.0 | 12 / 7 | |
| 2.3.0 | 12 / 7 | |
| 2.2.0 | 12 / 7 | |
| 2.1.2 | 12 / 7 |
v13.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.2.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.2.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.