@tiptap/extension-text-style @2.27.0

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

—

License

Install Scripts

Dependencies

Dev Dependencies

5.2 KB

Package Size

2025-10-29

Published

Maintainers

patrickbabertimoisik_bdbchsvenadlungtiptap-bot

Keywords

tiptaptiptap extension

Dev Dependencies (1)

Package	Constraint	Registry Status
@tiptap/core	^2.27.0	auto_approved

Changes from v3.9.0

Dependency Changes

Script Changes

+ clean - lint

File Changes

6 added 56 removed 8 modified size delta: -393.8 KB

Risk Dispositions (2 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`regressed-provenance`	provenance	reject	AI	AI (provenance): Provenance regression is a critical supply-chain signal for this package; should fail every version until CI/CD attestation is restored.
`publisher-changed`	provenance	reject	AI	AI (provenance): Publisher changed from established tiptap-bot CI account to a new human account with no prior publish history; warrants rejection until confirmed legitimate.

SAST Findings (2)

HIGH Provenance attestation missing — previous versions had it provenance

This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.

HIGH Publisher changed: tiptap-bot → _bdbch (on 2025-10-29) provenance

This version was published by a different npm account than previous versions on 2025-10-29. This could indicate a legitimate maintainer transition or an account compromise.

Review Summary

Risk score: 63. Findings: 2 high (+50), 1 medium (+10), 1 low (+3).

Commit: 247d2778baf1 Browse source

Published to npm: 2025-10-29