rehype-slug — Greenflagged

rehype plugin to add `id` attributes to headings

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

wooormkmck

Keywords

headinghtmlidpluginrehyperehype-pluginslugunified

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): unified and @types/hast are core ecosystem packages from the same unified org; their addition is expected for a rehype plugin moving to explicit TypeScript typing.	ai	2026/04/24
provenance	no-provenance	AI (provenance): wooorm is a highly trusted publisher with a long track record; lack of provenance is a minor gap, not a risk signal for this package.	ai	2026/04/24
dependencies	unvetted-dep:@types/hast	AI (dependencies): @types/hast is a standard TypeScript type definition package used throughout the unified/rehype ecosystem; not a runtime risk.	ai	2026/04/23
phantom-deps	phantom-dep:@types/hast	AI (phantom-deps): @types/* packages are type-only and never directly imported at runtime; phantom-dep finding is a stable false positive for this package.	ai	2026/04/23

Versions (showing 12 of 12)

Version	Deps	Published
6.0.0	5 / 9	2023-08-31
5.1.0	7 / 11	2022-10-31
5.0.1	7 / 12	2021-12-30
5.0.0	7 / 12	2021-08-02
4.0.1	5 / 11	2020-11-12
4.0.0	5 / 11	2020-11-11
3.0.0	5 / 9	2020-03-15
2.0.3	5 / 9	2019-06-01
2.0.2	5 / 9	2018-11-17
2.0.1	5 / 8	2017-06-20
2.0.0	5 / 8	2017-02-23
1.0.0	5 / 8	2016-10-22

v6.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.