rehype-docz — Greenflagged

Rehype plugin used by docz

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

pedronauckrenatobenks

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): brace and react-ace are well-known Ace editor packages, consistent with docz's code editing functionality. Both are phantom deps (not directly imported), indicating they are declared for consumers.	ai	2026/04/24
bogus-package	bogus-package	AI (bogus-package): Package is 2831 days old with 92 versions and 7.8k weekly downloads. Metadata hygiene issues (no repo URL, sparse README) are cosmetic and not indicative of malicious intent for this established package.	ai	2026/04/24
phantom-deps	phantom-dep:brace	AI (phantom-deps): brace is a declared dependency used in docz config/tooling context; phantom detection is a false positive for this monorepo sub-package.	ai	2026/04/23
phantom-deps	phantom-dep:react-ace	AI (phantom-deps): react-ace is a declared dependency used in docz config/tooling context; phantom detection is a false positive for this monorepo sub-package.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): renatobenks is a known docz maintainer with 315 approved packages and 0 rejections; transition from rakannimer is a documented project handoff within doczjs org.	ai	2026/04/23
phantom-deps	phantom-dep:unist-util-is	AI (phantom-deps): unist-util-is is a declared dependency used in docz config/tooling context; phantom detection is a false positive for this monorepo sub-package.	ai	2026/04/23
phantom-deps	phantom-dep:jsx-ast-utils	AI (phantom-deps): jsx-ast-utils is a declared dependency used in docz config/tooling context; phantom detection is a false positive for this monorepo sub-package.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): renatobenks is a legitimate docz project maintainer with a clean track record; addition reflects project ownership transition, not compromise.	ai	2026/04/23

Versions (showing 31 of 31)

Version	Deps	Published
2.4.0	7 / 0	2022-02-11
2.3.0	7 / 4	2020-04-02
2.1.0	7 / 4	2019-11-27
2.0.0	7 / 4	2019-11-25
1.2.0	5 / 3	2019-05-08
1.1.0	5 / 3	2019-05-01
1.0.4	5 / 3	2019-04-18
1.0.2	5 / 3	2019-04-15
1.0.1	5 / 3	2019-04-14
1.0.0	5 / 2	2019-04-11
0.13.6	5 / 0	2018-12-26
0.13.5	5 / 0	2018-12-19
0.13.3	5 / 0	2018-12-17
0.13.0	5 / 0	2018-12-17
0.12.16	5 / 1	2018-12-13
0.12.15	5 / 1	2018-12-04
0.12.14	5 / 1	2018-12-04
0.12.13	5 / 1	2018-11-23
0.12.12	5 / 1	2018-11-16
0.12.10	5 / 1	2018-11-15
0.12.9	5 / 1	2018-11-01
0.12.8	5 / 1	2018-10-31
0.12.6	5 / 1	2018-10-30
0.12.2	5 / 1	2018-09-28
0.11.0	9 / 2	2018-09-02
0.10.3	9 / 2	2018-08-16
0.10.0	9 / 2	2018-08-13
0.9.4	7 / 0	2018-08-04
0.9.0	7 / 0	2018-08-02
0.8.0	7 / 0	2018-07-28
0.7.0	7 / 0	2018-07-23

v2.4.0

2 findings

HIGH Publisher changed: rakannimer → renatobenks (on 2022-02-11) provenance

This version was published by a different npm account than previous versions on 2022-02-11. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance