remark-slug — Greenflagged

Deprecated: this package is no longer maintained. Please use `remark-rehype` to move from remark (markdown) to rehype (HTML) and then replace `remark-slug` with [`rehype-slug`](https://github.com/rehypejs/rehype-slug).

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

remcohaszingjohnowooorm

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:mdast-util-to-string	AI (dependencies): mdast-util-to-string is a core unified ecosystem utility maintained by wooorm, the same author as remark-slug. No security risk.	ai	2026/04/24
dependencies	unvetted-dep:@types/hast	AI (dependencies): @types/hast is a canonical TypeScript type definition package for the unified/hast ecosystem, maintained by wooorm. No security risk.	ai	2026/04/24
dependencies	unvetted-dep:@types/mdast	AI (dependencies): @types/mdast is a canonical TypeScript type definition package for the unified/mdast ecosystem, maintained by wooorm. No security risk.	ai	2026/04/24
phantom-deps	phantom-dep:@types/mdast	AI (phantom-deps): @types/mdast is a TypeScript type-only package; same rationale as @types/hast — declared for TS consumers, not directly imported in JS.	ai	2026/04/24
phantom-deps	phantom-dep:@types/hast	AI (phantom-deps): @types/hast is a TypeScript type-only package; declaring it as a dep without direct JS import is standard practice for TypeScript-first packages in the unified ecosystem.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): remcohaszing is a known remark/unified ecosystem contributor; addition is a legitimate handoff alongside trusted publisher wooorm.	ai	2026/04/23
bogus-package	bogus-package	AI (bogus-package): Signals (no deps, tiny payload, minimal README) are consistent with a deliberate deprecation stub release, not spam or malware.	ai	2026/04/23
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy followed by a stub/deprecation release is expected for a superseded package in the remark ecosystem; not indicative of takeover.	ai	2026/04/23

Versions (showing 19 of 19)

Version	Deps	Published
8.0.0	0 / 0	2024-10-01
7.0.1	6 / 14	2021-10-24
7.0.0	6 / 14	2021-08-06
6.1.0	3 / 12	2021-07-18
6.0.0	3 / 11	2020-03-23
5.1.2	3 / 11	2019-06-16
5.1.1	3 / 10	2018-11-22
5.1.0	3 / 11	2018-08-13
5.0.0	3 / 10	2017-12-10
4.2.3	3 / 10	2017-06-17
4.2.2	3 / 10	2016-08-24
4.2.1	3 / 16	2016-08-21
4.2.0	3 / 16	2016-06-18
4.1.1	3 / 16	2016-06-13
4.1.0	3 / 15	2016-02-14
4.0.0	3 / 15	2016-01-23
3.0.2	4 / 16	2016-01-23
3.0.1	4 / 16	2015-12-26
3.0.0	4 / 16	2015-12-24

v8.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.