@atlaskit/editor-markdown-transformer
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Long-established Atlassian package with trusted publisher account; dormancy likely reflects internal release cadence, not takeover. | ai | |
| dependencies | unvetted-dep:markdown-it | AI (dependencies): markdown-it is a well-known, widely-used markdown parser. Its use is expected and appropriate for this markdown transformer package; stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Atlassian publishes via their artifact team pipeline without Sigstore provenance; this is consistent across their entire @atlaskit/* package family. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 5.21.0 | 5 / 5 | |
| 5.20.6 | 5 / 4 | |
| 5.20.5 | 5 / 4 | |
| 5.20.4 | 5 / 4 | |
| 5.20.3 | 5 / 4 | |
| 5.20.1 | 5 / 4 | |
| 5.20.0 | 5 / 4 | |
| 5.17.0 | 5 / 4 | |
| 5.16.6 | 5 / 4 | |
| 5.16.5 | 5 / 4 | |
| 5.16.3 | 5 / 5 | |
| 5.16.1 | 5 / 5 |
v5.21.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.20.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.20.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.20.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.20.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.