remark-mdx — Greenflagged

remark plugin to support MDX syntax

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

johnotimneutkenswooormremcohaszing

Keywords

javascriptjsxmarkdownmdastmdxpluginremarkremark-pluginunifiedxml

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:micromark-extension-mdxjs	AI (dependencies): micromark-extension-mdxjs is part of the same mdx-js/mdx monorepo and maintained by the same trusted author (wooorm); not a suspicious dependency for this package.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): New Babel deps (@babel/core, plugin-syntax-jsx, helper-plugin-utils, plugin-proposal-object-rest-spread) are canonical packages consistent with remark-mdx's JSX parsing purpose; not suspicious.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): timneutkens was already a listed contributor in package.json before being added as maintainer; this is a legitimate promotion within the mdx-js/mdx project, not a suspicious takeover.	ai	2026/04/22
phantom-deps	phantom-dep:@babel/plugin-syntax-jsx	AI (phantom-deps): Babel plugins are loaded by convention via @babel/core plugin arrays, not directly imported. This is standard Babel plugin usage for a JSX-processing package.	ai	2026/04/22
phantom-deps	phantom-dep:@babel/plugin-proposal-object-rest-spread	AI (phantom-deps): Babel plugins are loaded by convention via @babel/core plugin arrays, not directly imported. This is standard Babel plugin usage for a JSX-processing package.	ai	2026/04/22
phantom-deps	phantom-dep:unified	AI (phantom-deps): unified is a declared runtime dependency used as plugin infrastructure; not directly imported in source but legitimately required. False positive for this remark plugin pattern.	ai	2026/04/22
phantom-deps	phantom-dep:remark-parse	AI (phantom-deps): remark-parse is a declared runtime dependency used as plugin infrastructure; not directly imported in source but legitimately required. False positive for this remark plugin pattern.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): Transition from johno to silvenon occurred in July 2020 and is a documented legitimate maintainer handoff. Silvenon is listed as a contributor in package.json and has a strong track record (314 approved / 0 rejected).	ai	2026/04/22
provenance	no-provenance	AI (provenance): wooorm is a well-established npm publisher; lack of provenance is common and not a risk signal for this package.	ai	2026/04/21

Versions (showing 51 of 85)

View all versions

Version	Deps	Published
3.1.1	2 / 0	2025-08-29
3.1.0	2 / 0	2024-10-18
3.0.1	2 / 0	2024-02-12
3.0.0	2 / 0	2023-10-24
2.3.0	2 / 6	2023-02-09
2.2.1	2 / 6	2022-12-14
2.2.0	2 / 6	2022-12-14
2.1.5	2 / 6	2022-10-11
2.1.4	2 / 6	2022-10-06
2.1.3	2 / 6	2022-08-17
2.1.2	2 / 6	2022-06-18
2.1.1	2 / 6	2022-03-31
2.1.0	2 / 6	2022-03-16
2.0.0	2 / 6	2022-02-01
1.6.22	8 / 0	2020-12-01
1.6.21	8 / 0	2020-11-07
1.6.20	8 / 0	2020-11-07
1.6.19	8 / 0	2020-10-20
1.6.18	8 / 0	2020-09-17
1.6.17	8 / 0	2020-09-14
1.6.16	8 / 0	2020-07-29
1.6.15	8 / 0	2020-07-29
1.6.14	8 / 0	2020-07-22
1.6.13	8 / 0	2020-07-20
1.6.12	8 / 0	2020-07-20
1.6.11	8 / 0	2020-07-17
1.6.10	8 / 0	2020-07-17
1.6.9	8 / 0	2020-07-16
1.6.8	8 / 0	2020-07-16
1.6.7	8 / 0	2020-07-15
1.6.6	8 / 0	2020-06-17
1.6.5	8 / 0	2020-05-29
1.6.4	8 / 0	2020-05-20
1.6.3	8 / 0	2020-05-20
1.6.2	8 / 0	2020-05-20
1.6.1	8 / 0	2020-05-01
1.6.0	8 / 0	2020-04-27
1.5.9	8 / 0	2020-04-22
1.5.8	8 / 0	2020-03-26
1.5.7	8 / 0	2020-02-21
1.5.6	8 / 0	2020-02-20
1.5.5	8 / 0	2020-01-16
1.5.4	8 / 0	2020-01-15
1.5.3	8 / 0	2019-12-20
1.5.2	8 / 0	2019-12-16
1.5.1	8 / 3	2019-10-07
1.5.0	8 / 3	2019-09-23
1.4.5	8 / 3	2019-09-09
1.4.4	8 / 3	2019-09-05
1.4.3	8 / 3	2019-09-04
1.4.2	8 / 3	2019-09-03