@medplum/core @2.1.26
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
60
Risk Score
—
License
No
Install Scripts
0
Dependencies
3
Dev Dependencies
443.1 KB
Package Size
Published
Maintainers
codyebbersonreshmakhrahul1
Keywords
medplumfhirhealthcareinteroperabilityjsonserializationhl7standardsclinicaldstu2stu3r4normative
Dev Dependencies (3)
| Package | Constraint | Registry Status |
|---|---|---|
| @medplum/fhirtypes | * | auto_approved |
| jest-websocket-mock | 2.5.0 | Not imported |
| @medplum/definitions | * | pending |
Changes from v5.0.15
Dependency Changes
Script Changes
- lint- lint:fixFile Changes
0 added
1 removed
8 modified
size delta: -1338.4 KB
Risk Dispositions (2 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
regressed-provenance |
provenance | reject | AI | AI (provenance): Medplum publishes via CI/CD with attestations; a manual publish without provenance on a dormant v2.x branch is a strong compromise indicator that generalizes across versions. | |
publisher-changed |
provenance | reject | AI | AI (provenance): Publisher shift from GitHub Actions to a human account on a dormant old version branch is a high-risk signal for this package; should be verified before any version is approved under this pattern. |
SAST Findings (2)
HIGH
Provenance attestation missing — previous versions had it
provenance
This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.
HIGH
Publisher changed: GitHub Actions → codyebberson (on 2026-02-23)
provenance
This version was published by a different npm account than previous versions on 2026-02-23. This could indicate a legitimate maintainer transition or an account compromise.
Review Summary
Risk score: 60. Findings: 2 high (+50), 1 medium (+10).
Commit: a1b33b73f169 Browse source
Published to npm: