@kong/markdown
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/kong-markdown.es.js | AI (source-diff): Oniguruma WASM binary inlined as base64 by shiki; standard pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/astro-D8QEIUE9.js | AI (source-diff): Minified shiki language grammar JSON; stable pattern for this markdown+syntax-highlighting package. | ai | |
| source-diff | obfuscated-file:dist/c-C6tVDVro.js | AI (source-diff): Minified shiki language grammar JSON; same pattern. | ai | |
| source-diff | obfuscated-file:dist/c4Diagram-AAUBKEIU-ftdwlfdB.js | AI (source-diff): Minified mermaid diagram bundle; expected for this package. | ai | |
| source-diff | obfuscated-file:dist/csharp-Cy04UeDC.js | AI (source-diff): Minified shiki language grammar JSON; same pattern. | ai | |
| source-diff | obfuscated-file:dist/css-DyTPeTTI.js | AI (source-diff): Minified shiki language grammar JSON; same pattern. | ai | |
| source-diff | net-exec-file:dist/chunk-NNHCCRGN-BWmckZT7.js | AI (source-diff): mermaid-parser LSP bundle; no actual network fetch or eval; standard bundled dependency. | ai | |
| dependencies | unvetted-dep:markdown-it | AI (dependencies): markdown-it is the core rendering engine for this markdown package; its use is expected and stable across all versions. | ai | |
| phantom-deps | phantom-dep:markdown-it-sup | AI (phantom-deps): Declared runtime dep, bundled by Vite; false positive. | ai | |
| phantom-deps | phantom-dep:markdown-it-abbr | AI (phantom-deps): Declared runtime dep, bundled by Vite; false positive. | ai | |
| phantom-deps | phantom-dep:markdown-it-mark | AI (phantom-deps): Declared runtime dep, bundled by Vite; false positive. | ai | |
| phantom-deps | phantom-dep:markdown-it-attrs | AI (phantom-deps): Declared runtime dep, bundled by Vite; false positive. | ai | |
| phantom-deps | phantom-dep:markdown-it-emoji | AI (phantom-deps): Declared runtime dep, bundled by Vite; false positive. | ai | |
| phantom-deps | phantom-dep:markdown-it-anchor | AI (phantom-deps): Declared runtime dep, bundled by Vite; false positive. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): Declared runtime dep, bundled by Vite; phantom-dep heuristic is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:markdown-it-footnote | AI (phantom-deps): Declared runtime dep, bundled by Vite; false positive. | ai | |
| phantom-deps | phantom-dep:@sindresorhus/slugify | AI (phantom-deps): Declared runtime dep, bundled by Vite; false positive. | ai | |
| phantom-deps | phantom-dep:markdown-it-task-lists | AI (phantom-deps): Declared runtime dep, bundled by Vite; false positive. | ai | |
| phantom-deps | phantom-dep:markdown-it-textual-uml | AI (phantom-deps): Declared runtime dep, bundled by Vite; false positive. | ai | |
| phantom-deps | phantom-dep:@mdit-vue/plugin-frontmatter | AI (phantom-deps): Declared runtime dep, bundled by Vite; false positive. | ai | |
| phantom-deps | phantom-dep:markdown-it-deflist | AI (phantom-deps): Declared runtime dep, bundled by Vite; false positive. | ai | |
| phantom-deps | phantom-dep:buffer | AI (phantom-deps): Declared runtime dep, bundled by Vite; false positive. | ai | |
| phantom-deps | phantom-dep:mermaid | AI (phantom-deps): Declared runtime dep, bundled by Vite; false positive. | ai | |
| phantom-deps | phantom-dep:dompurify | AI (phantom-deps): Declared runtime dep, bundled by Vite; false positive. | ai | |
| phantom-deps | phantom-dep:html-format | AI (phantom-deps): Declared runtime dep, bundled by Vite; false positive. | ai | |
| phantom-deps | phantom-dep:@vueuse/core | AI (phantom-deps): Declared runtime dep, bundled by Vite; false positive. | ai | |
| phantom-deps | phantom-dep:markdown-it-ins | AI (phantom-deps): Declared runtime dep, bundled by Vite; false positive. | ai | |
| phantom-deps | phantom-dep:markdown-it-sub | AI (phantom-deps): Declared runtime dep, bundled by Vite; false positive. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 1.9.9 | 22 / 49 | |
| 1.9.8 | 22 / 50 | |
| 1.9.7 | 22 / 50 | |
| 1.9.6 | 22 / 50 | |
| 1.9.5 | 21 / 50 |
v1.9.9
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.