@fumadocs/ui @16.3.1
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
40
Risk Score
—
License
No
Install Scripts
5
Dependencies
13
Dev Dependencies
23.7 KB
Package Size
Published
Maintainers
sonmoosans
Keywords
FumadocsDocs
Dependencies (5)
| Package | Constraint | Registry Status |
|---|---|---|
| next-themes | ^0.4.6 | auto_approved |
| lodash.merge | ^4.6.2 | auto_approved |
| fumadocs-core | 16.3.1 | No greenflagged match |
| tailwind-merge | ^3.4.0 | auto_approved |
| postcss-selector-parser | ^7.1.1 | auto_approved |
Dev Dependencies (13)
| Package | Constraint | Registry Status |
|---|---|---|
| next | 16.1.0 | auto_approved |
| tsconfig | 0.0.0 | No greenflagged match |
| tsc-alias | ^1.8.16 | auto_approved |
| @types/bun | ^1.3.5 | auto_approved |
| @types/node | ^24.10.2 | auto_approved |
| tailwindcss | ^4.1.18 | auto_approved |
| @types/react | ^19.2.7 | auto_approved |
| @fumadocs/cli | 1.1.0 | auto_approved |
| fumadocs-core | 16.3.1 | No greenflagged match |
| @types/react-dom | ^19.2.3 | auto_approved |
| @types/lodash.merge | ^4.6.9 | auto_approved |
| eslint-config-custom | 0.0.0 | No greenflagged match |
| class-variance-authority | ^0.7.1 | auto_approved |
Transitive Dependency Tree
7 transitive deps
max depth 2
├─
fumadocs-core
16.3.1
├─
lodash.merge
^4.6.2
→ 4.6.2
├─
next-themes
^0.4.6
→ 0.4.6
├─
postcss-selector-parser
^7.1.1
→ 7.1.3
├─
tailwind-merge
^3.4.0
→ 3.5.0
├─
cssesc
^3.0.0
→ 3.0.0
├─
util-deprecate
^1.0.2
→ 1.0.2
Changes from v16.3.0
Dependency Changes
| Change | Package | Version |
|---|---|---|
| changed | fumadocs-core | 16.3.0 → 16.3.1 |
File Changes
0 added
0 removed
1 modified
size delta: -.0 KB
Risk Dispositions (1 applicable to this version, 1 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
publisher-changed |
provenance | reject | AI | AI (provenance): Publisher changed from GitHub Actions to a personal account alongside regressed provenance — high-risk pattern for this package. |
Show 1 disposition(s) that do not match any finding on this version
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
regressed-provenance |
provenance | reject | AI | AI (provenance): Prior versions had CI/CD attestations; missing provenance on a new version is a persistent compromise signal for this package. |
SAST Findings (2)
HIGH
Publisher changed: sonmoosans → GitHub Actions (on 2025-12-19)
provenance
This version was published by a different npm account than previous versions on 2025-12-19. This could indicate a legitimate maintainer transition or an account compromise.
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
Review Summary
Risk score: 40. Findings: 1 critical (+40), 2 info (+0).
Published to npm: