All @tiptap/extension-list-item versions
@tiptap/extension-list-item @2.27.0
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
70
Risk Score
—
License
No
Install Scripts
0
Dependencies
1
Dev Dependencies
3.3 KB
Package Size
Published
Maintainers
patrickbabertimoisik_bdbchsvenadlungtiptap-bot
Keywords
tiptaptiptap extension
Dev Dependencies (1)
| Package | Constraint | Registry Status |
|---|---|---|
| @tiptap/core | ^2.27.0 | auto_approved |
Changes from v3.9.0
Dependency Changes
Script Changes
+ clean - lintFile Changes
6 added
2 removed
8 modified
size delta: +9.6 KB
Risk Dispositions (2 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
regressed-provenance |
provenance | reject | AI | AI (provenance): Tiptap packages are published via CI with provenance attestations; any version lacking provenance from a new publisher is a strong compromise signal that generalizes. | |
publisher-changed |
provenance | reject | AI | AI (provenance): Legitimate tiptap publishes go through tiptap-bot; a human account (_bdbch, first seen 30 days ago) bypassing the bot pipeline is a persistent red flag for this package. |
SAST Findings (2)
HIGH
Provenance attestation missing — previous versions had it
provenance
This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.
HIGH
Publisher changed: tiptap-bot → _bdbch (on 2025-10-29)
provenance
This version was published by a different npm account than previous versions on 2025-10-29. This could indicate a legitimate maintainer transition or an account compromise.
Review Summary
Risk score: 70. Findings: 2 high (+50), 2 medium (+20).
Commit: 247d2778baf1 Browse source
Published to npm: