@excalidraw/mermaid-to-excalidraw

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

dwellemaielo

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:react-split	AI (phantom-deps): react-split is used in the playground UI, not the published library dist. It's declared in dependencies but only referenced in config/playground files — a misplacement, not a security issue.	ai	2026/04/27
dependencies	unvetted-dep:react-split	AI (dependencies): react-split is a well-known Split.js React wrapper used in the playground UI. The phantom-dep finding confirms it's not imported in the library itself; no security concern.	ai	2026/04/27
dependencies	unvetted-dep:@excalidraw/markdown-to-text	AI (dependencies): @excalidraw/markdown-to-text is a scoped package from the same Excalidraw org — an internal dependency, not a third-party unknown. Stable false positive for this package.	ai	2026/04/25
phantom-deps	phantom-dep:@mermaid-js/parser	AI (phantom-deps): @mermaid-js/parser is declared as a direct dependency in package.json; phantom-dep finding reflects indirect import pattern, not a security concern for this package.	ai	2026/04/25

Versions (showing 6 of 6)

Version	Deps	Published
2.2.2	4 / 26	2026-03-24
2.2.1	4 / 26	2026-03-24
2.1.1	4 / 24	2026-03-12
2.1.0	4 / 24	2026-03-11
2.0.0	4 / 24	2025-11-25
1.1.4	4 / 24	2025-11-21