@strapi/plugin-documentation
Create an OpenAPI Document and visualize your API with SWAGGER UI.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are Strapi org accounts; consistent with internal team management. | ai | |
| provenance | publisher-changed | AI (provenance): bassel17 is an established Strapi org publisher with 29 approved packages; change reflects internal team rotation. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal paired with addition of other Strapi org accounts; consistent with team rotation. | ai | |
| source-diff | obfuscated-file:dist/server/public/login.html.js | AI (source-diff): Long lines are an embedded HTML template string, not obfuscated/malicious code; stable pattern for this plugin. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Strapi monorepo plugin; version aligns with coordinated 5.14.0 release across all @strapi/* packages. | ai | |
| dependencies | unvetted-dep:@strapi/helper-plugin | AI (dependencies): @strapi/helper-plugin is a first-party Strapi package published by the same organization. No security concern. | ai | |
| dependencies | unvetted-dep:react-query | AI (dependencies): react-query 3.39.3 is a well-known, widely-used data-fetching library with no known malicious history. Stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@strapi/design-system | AI (dependencies): @strapi/design-system is a first-party Strapi package; it is an expected dependency for all Strapi admin plugins and not a third-party risk. | ai | |
| dependencies | unvetted-dep:@strapi/icons | AI (dependencies): @strapi/icons is a first-party Strapi design system package; it is an expected dependency for all Strapi admin plugins and not a third-party risk. | ai | |
| provenance | no-provenance | AI (provenance): Strapi publishes from a monorepo without Sigstore provenance attestation; this is consistent across all their packages and not a security concern. | ai | |
| license | uncommon-license:SEE LICENSE IN LICENSE | AI (license): Strapi uses 'SEE LICENSE IN LICENSE' as their standard license declaration across all packages in the monorepo; not a security concern. | ai |
Versions (showing 51 of 65)
| Version | Deps | Published |
|---|---|---|
| 5.47.1 | 17 / 18 | |
| 5.47.0 | 17 / 19 | |
| 5.46.1 | 17 / 19 | |
| 5.46.0 | 17 / 19 | |
| 5.45.1 | 17 / 19 | |
| 5.45.0 | 17 / 19 | |
| 5.44.0 | 17 / 19 | |
| 5.43.0 | 17 / 19 | |
| 5.42.1 | 17 / 19 | |
| 5.42.0 | 17 / 19 | |
| 5.41.1 | 17 / 19 | |
| 5.41.0 | 17 / 19 | |
| 5.40.0 | 17 / 19 | |
| 5.39.0 | 17 / 19 | |
| 5.38.1 | 17 / 19 | |
| 5.38.0 | 17 / 19 | |
| 5.37.1 | 17 / 19 | |
| 5.37.0 | 17 / 19 | |
| 5.36.1 | 17 / 19 | |
| 5.36.0 | 17 / 19 | |
| 5.35.0 | 17 / 19 | |
| 5.34.0 | 17 / 19 | |
| 5.33.4 | 17 / 19 | |
| 5.33.3 | 17 / 19 | |
| 5.33.2 | 17 / 19 | |
| 5.33.1 | 17 / 19 | |
| 5.33.0 | 17 / 19 | |
| 5.32.0 | 17 / 19 | |
| 5.31.3 | 17 / 19 | |
| 5.31.2 | 17 / 19 | |
| 5.31.1 | 17 / 19 | |
| 5.31.0 | 17 / 19 | |
| 5.30.1 | 17 / 19 | |
| 5.30.0 | 17 / 19 | |
| 5.29.0 | 17 / 19 | |
| 5.28.0 | 17 / 19 | |
| 5.27.0 | 17 / 19 | |
| 5.26.0 | 17 / 19 | |
| 5.25.0 | 17 / 19 | |
| 5.24.2 | 17 / 19 | |
| 5.24.1 | 17 / 19 | |
| 5.24.0 | 17 / 19 | |
| 5.23.6 | 17 / 19 | |
| 5.23.5 | 17 / 19 | |
| 5.23.4 | 17 / 19 | |
| 5.23.3 | 17 / 19 | |
| 5.23.2 | 17 / 19 | |
| 5.23.1 | 17 / 19 | |
| 5.23.0 | 17 / 19 | |
| 5.22.0 | 17 / 19 | |
| 5.21.0 | 17 / 19 |
v5.47.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.47.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.46.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.46.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.45.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.45.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.43.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.42.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.42.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.41.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.41.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.40.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.39.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.38.1
2 findingsThis version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.38.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-04. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.37.1
2 findingsThis version was published by a different npm account than previous versions on 2026-02-26. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.37.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-26. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.36.1
2 findingsThis version was published by a different npm account than previous versions on 2026-02-18. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.36.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.35.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-04. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.34.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-28. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.33.4
2 findingsThis version was published by a different npm account than previous versions on 2026-01-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.33.3
2 findingsThis version was published by a different npm account than previous versions on 2026-01-14. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.33.2
2 findingsThis version was published by a different npm account than previous versions on 2026-01-08. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.33.1
2 findingsThis version was published by a different npm account than previous versions on 2025-12-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.33.0
2 findingsThis version was published by a different npm account than previous versions on 2025-12-17. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.32.0
2 findingsThis version was published by a different npm account than previous versions on 2025-12-11. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.31.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.31.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.31.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.31.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.30.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.30.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.29.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.28.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.27.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.25.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.24.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.24.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.24.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.23.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.23.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.23.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.23.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.23.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.23.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.22.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.21.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.