yuidocjs
YUIDoc, YUI's JavaScript Documentation engine.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| license | uncommon-license:BSD | AI (license): BSD is a well-known permissive open-source license; the uncommon-license flag is a false positive for this package. | ai | |
| dependencies | unvetted-dep:markdown-it | AI (dependencies): markdown-it is a widely-used, well-maintained Markdown parser; its use in a documentation tool is expected and benign. | ai | |
| source-diff | obfuscated-file:output/assets/vendor/prettify/prettify-min.js | AI (source-diff): prettify-min.js is the well-known Google Code Prettify syntax highlighter. Minified JS is expected for this vendor asset; unminified source is also included. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:coverage/lcov-report/prettify.js | AI (source-diff): This is the well-known Google Code Prettify syntax highlighter, minified as part of Istanbul's lcov HTML coverage report output. It is a standard test artifact, not malicious code. | ai | |
| source-diff | obfuscated-file:conf/docs/assets/vendor/prettify/prettify-min.js | AI (source-diff): This is Google's prettify syntax highlighter in standard minified form, a well-known open-source vendor library. Shipping minified vendor assets is expected for a documentation tool. | ai | |
| source-diff | obfuscated-file:tests/out/assets/vendor/prettify/prettify-min.js | AI (source-diff): This is the well-known Google Prettify syntax highlighter (minified), bundled as a vendor asset in test output for the documentation generator. Not malicious. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from ericf to stefanpenner occurred in 2016; stefanpenner is a well-known trusted npm publisher with 649 approved packages. Legitimate maintainer transition. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in yuidocjs loads user-configured Handlebars helper modules — intentional plugin/extension functionality for a documentation tool, not malicious. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): stefanpenner is a reputable, long-standing npm publisher. Transition occurred in 2016 and has been stable. No compromise indicators. | ai |
Versions (showing 51 of 93)
| Version | Deps | Published |
|---|---|---|
| 0.6.0 | 6 / 5 | |
| 0.5.0 | 6 / 5 | |
| 0.4.0 | 6 / 5 | |
| 0.3.50 | 6 / 5 | |
| 0.3.49 | 6 / 5 | |
| 0.3.48 | 6 / 5 | |
| 0.3.47 | 6 / 4 | |
| 0.3.46 | 6 / 4 | |
| 0.3.45 | 6 / 4 | |
| 0.3.44 | 6 / 4 | |
| 0.3.43 | 6 / 4 | |
| 0.3.42 | 6 / 4 | |
| 0.3.41 | 6 / 4 | |
| 0.3.40 | 6 / 4 | |
| 0.3.39 | 6 / 4 | |
| 0.3.38 | 6 / 4 | |
| 0.3.37 | 6 / 4 | |
| 0.3.36 | 6 / 4 | |
| 0.3.35 | 6 / 2 | |
| 0.3.34 | 6 / 2 | |
| 0.3.33 | 6 / 2 | |
| 0.3.32 | 6 / 2 | |
| 0.3.31 | 6 / 2 | |
| 0.3.30 | 6 / 2 | |
| 0.3.29 | 6 / 2 | |
| 0.3.28 | 6 / 2 | |
| 0.3.27 | 6 / 2 | |
| 0.3.26 | 6 / 2 | |
| 0.3.25 | 6 / 2 | |
| 0.3.24 | 6 / 2 | |
| 0.3.23 | 6 / 2 | |
| 0.3.22 | 6 / 2 | |
| 0.3.21 | 6 / 2 | |
| 0.3.20 | 6 / 2 | |
| 0.3.19 | 6 / 2 | |
| 0.3.18 | 6 / 2 | |
| 0.3.17 | 6 / 2 | |
| 0.3.16 | 6 / 2 | |
| 0.3.15 | 6 / 2 | |
| 0.3.14 | 6 / 2 | |
| 0.3.13 | 6 / 2 | |
| 0.3.12 | 6 / 2 | |
| 0.3.11 | 6 / 2 | |
| 0.3.10 | 6 / 2 | |
| 0.3.9 | 6 / 2 | |
| 0.3.8 | 6 / 2 | |
| 0.3.7 | 6 / 2 | |
| 0.3.6 | 6 / 2 | |
| 0.3.5 | 6 / 2 | |
| 0.3.4 | 6 / 2 | |
| 0.3.3 | 6 / 2 |
v0.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2015-01-20. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2014-11-18. This could indicate a legitimate maintainer transition or an account compromise.
v0.3.50
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.49
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.48
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.47
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.46
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2013-10-21. This could indicate a legitimate maintainer transition or an account compromise.
v0.3.45
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2013-07-18. This could indicate a legitimate maintainer transition or an account compromise.
v0.3.44
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.43
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.42
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.41
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.40
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.39
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.38
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.37
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.36
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.35
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.34
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.33
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.32
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.31
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.30
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.