remark-parse
remark plugin to add support for parsing markdown input
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| email-domain | unclaimed-email:spektrakel.de | AI (email-domain): The spektrakel.de email belongs to a contributor, not the primary publisher (wooorm). The package is published by a highly trusted maintainer with 2164 approved packages. Risk is low and stable across versions. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): remark-parse v10 was a major architectural rewrite delegating parsing to mdast-util-from-markdown; the gap reflects intentional ecosystem restructuring by the canonical maintainer wooorm, not account takeover. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): remark-parse is a large open-source project under the remarkjs org; multiple maintainer additions reflect legitimate community growth, not a suspicious takeover. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): remark-parse 0.0.0 is a legitimate placeholder version in the wooorm/remark monorepo ecosystem, not a throwaway malicious package. Publisher wooorm is highly trusted with 2000+ approved packages. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size drop reflects intentional refactor: parsing logic moved to mdast-util-from-markdown; remark-parse v10 is a thin plugin wrapper by design. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps (unified, mdast-util-from-markdown, @types/mdast) are core unified-ecosystem packages by the same maintainer, introduced as part of the well-documented remark v10 architectural rewrite. | ai | |
| dependencies | unvetted-dep:micromark-util-types | AI (dependencies): micromark-util-types is a core package in the micromark ecosystem (same author, wooorm), used as the foundation for remark's modern parser stack. | ai | |
| dependencies | unvetted-dep:@types/mdast | AI (dependencies): @types/mdast is a core TypeScript types package in the unified/mdast ecosystem, maintained by the same author (wooorm). Stable dependency for this package. | ai | |
| dependencies | unvetted-dep:mdast-util-from-markdown | AI (dependencies): mdast-util-from-markdown is the canonical markdown-to-mdast utility in the unified ecosystem, maintained by wooorm. Expected dependency for remark-parse v11+. | ai | |
| dependencies | unvetted-dep:unist-util-remove-position | AI (dependencies): unist-util-remove-position is a core unified ecosystem utility by wooorm; stable and benign. | ai | |
| dependencies | unvetted-dep:trim | AI (dependencies): trim is a long-standing small utility used throughout the unified/remark ecosystem; no malicious history. | ai | |
| dependencies | unvetted-dep:unherit | AI (dependencies): unherit is a wooorm-authored utility package integral to the unified ecosystem; stable and benign. | ai | |
| dependencies | unvetted-dep:state-toggle | AI (dependencies): state-toggle is a tiny wooorm utility used across the unified ecosystem; no risk indicators. | ai | |
| dependencies | unvetted-dep:markdown-escapes | AI (dependencies): markdown-escapes is a wooorm-authored utility specific to the remark/unified ecosystem; benign. | ai | |
| dependencies | unvetted-dep:is-word-character | AI (dependencies): is-word-character is a small wooorm utility for character classification; no risk indicators. | ai | |
| dependencies | unvetted-dep:trim-trailing-lines | AI (dependencies): trim-trailing-lines is a tiny wooorm utility; stable and benign. | ai | |
| dependencies | unvetted-dep:is-whitespace-character | AI (dependencies): is-whitespace-character is a small wooorm utility for character classification; no risk indicators. | ai | |
| phantom-deps | phantom-dep:@types/mdast | AI (phantom-deps): @types/mdast is intentionally declared as a runtime dep in the unified ecosystem for TypeScript type re-exports; not a real phantom dependency for this package. | ai | |
| provenance | no-provenance | AI (provenance): wooorm is the canonical remark maintainer with a strong track record; lack of provenance is not a meaningful risk signal here. | ai |
Versions (showing 29 of 29)
| Version | Deps | Published |
|---|---|---|
| 11.0.0 | 4 / 0 | |
| 10.0.2 | 3 / 0 | |
| 10.0.1 | 3 / 0 | |
| 10.0.0 | 3 / 0 | |
| 9.0.0 | 1 / 0 | |
| 8.0.3 | 16 / 0 | |
| 8.0.2 | 16 / 0 | |
| 8.0.1 | 16 / 0 | |
| 8.0.0 | 16 / 0 | |
| 7.0.2 | 15 / 0 | |
| 7.0.1 | 15 / 0 | |
| 7.0.0 | 15 / 0 | |
| 6.0.3 | 15 / 3 | |
| 6.0.2 | 15 / 3 | |
| 6.0.1 | 15 / 3 | |
| 6.0.0 | 15 / 3 | |
| 5.0.0 | 15 / 0 | |
| 4.0.0 | 15 / 0 | |
| 3.0.1 | 16 / 0 | |
| 3.0.0 | 16 / 0 | |
| 2.3.0 | 16 / 0 | |
| 2.2.0 | 16 / 0 | |
| 2.1.0 | 16 / 0 | |
| 2.0.2 | 16 / 0 | |
| 2.0.1 | 16 / 0 | |
| 2.0.0 | 16 / 0 | |
| 1.1.0 | 9 / 0 | |
| 1.0.0 | 9 / 0 | |
| 0.0.0 | 9 / 0 |
v11.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.3
2 findingsMaintainer email '[email protected]' uses domain 'spektrakel.de' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.2
2 findingsMaintainer email '[email protected]' uses domain 'spektrakel.de' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.1
2 findingsMaintainer email '[email protected]' uses domain 'spektrakel.de' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.0
2 findingsMaintainer email '[email protected]' uses domain 'spektrakel.de' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.