mdast-util-to-markdown — Greenflagged

mdast utility to serialize markdown

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

wooormkmck

Keywords

astcompilemarkdownmarkupmdast-utilmdastserializestringifysyntaxtreeunistutilityutil

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:zwitch	AI (dependencies): zwitch is a legitimate utility by wooorm, part of the unified ecosystem. Stable dependency for this package.	ai	2026/04/21
dependencies	unvetted-dep:@types/mdast	AI (dependencies): @types/mdast is the official TypeScript type definition for mdast, maintained by the syntax-tree org. Not a security concern.	ai	2026/04/21
dependencies	unvetted-dep:longest-streak	AI (dependencies): longest-streak is a small utility by wooorm used for markdown serialization. Legitimate dependency.	ai	2026/04/21
dependencies	unvetted-dep:unist-util-visit	AI (dependencies): unist-util-visit is a core utility in the unified/unist ecosystem by wooorm. Legitimate dependency.	ai	2026/04/21
dependencies	unvetted-dep:mdast-util-phrasing	AI (dependencies): mdast-util-phrasing is a core mdast utility by wooorm/syntax-tree. Legitimate dependency.	ai	2026/04/21
dependencies	unvetted-dep:mdast-util-to-string	AI (dependencies): mdast-util-to-string is a core mdast utility by wooorm/syntax-tree. Legitimate dependency.	ai	2026/04/21
dependencies	unvetted-dep:micromark-util-decode-string	AI (dependencies): micromark-util-decode-string is part of the micromark ecosystem by wooorm. Legitimate dependency.	ai	2026/04/21
dependencies	unvetted-dep:micromark-util-classify-character	AI (dependencies): micromark-util-classify-character is part of the micromark ecosystem by wooorm. Legitimate dependency.	ai	2026/04/21
phantom-deps	phantom-dep:@types/mdast	AI (phantom-deps): TypeScript type packages declared as runtime deps is a known pattern in the unified ecosystem for type re-exports. Not a security concern.	ai	2026/04/21
phantom-deps	phantom-dep:@types/unist	AI (phantom-deps): TypeScript type packages declared as runtime deps is a known pattern in the unified ecosystem for type re-exports. Not a security concern.	ai	2026/04/21
provenance	no-provenance	AI (provenance): wooorm's packages consistently lack Sigstore provenance; publisher trust and ecosystem context are strong compensating controls.	ai	2026/04/21

Versions (showing 2 of 2)

Version	Deps	Published
2.1.2	9 / 10	2024-11-04
1.5.0	8 / 10	2023-01-04

v1.5.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.