bpmn-js @18.13.2
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
38
Risk Score
—
License
No
Install Scripts
8
Dependencies
45
Dev Dependencies
1127.1 KB
Package Size
Published
Maintainers
bpmn-io-adminnikkubarmacphilippfrommemaxtruskaiir-camundavsgoulartbarinalijarekdanielakev-camundaalekseymanetovsimon-steinruecken-camunda
Keywords
bpmnbpmn-jstoolkitweb modelermodelermodelingprocess modeling
Dependencies (8)
| Package | Constraint | Registry Status |
|---|---|---|
| ids | ^3.0.0 | auto_approved |
| min-dom | ^5.2.0 | auto_approved |
| min-dash | ^5.0.0 | auto_approved |
| tiny-svg | ^4.1.4 | auto_approved |
| diagram-js | ^15.10.0 | auto_approved |
| bpmn-moddle | ^10.0.0 | auto_approved |
| inherits-browser | ^0.1.0 | auto_approved |
| diagram-js-direct-editing | ^3.3.0 | auto_approved |
Dev Dependencies (45)
| Package | Constraint | Registry Status |
|---|---|---|
| cpy | ^13.0.0 | auto_approved |
| del | ^8.0.0 | auto_approved |
| chai | 4.1.2 | auto_approved |
| execa | ^9.0.0 | auto_approved |
| karma | ^6.4.4 | auto_approved |
| mocha | ^10.8.2 | auto_approved |
| sinon | ^17.0.1 | auto_approved |
| eslint | ^9.39.2 | auto_approved |
| rollup | ^4.55.1 | auto_approved |
| bio-dts | ^0.11.0 | Not imported |
| del-cli | ^7.0.0 | auto_approved |
| webpack | ^5.104.1 | auto_approved |
| bpmn-font | ^0.12.1 | Not imported |
| cross-env | ^10.0.0 | auto_approved |
| puppeteer | ~24.36.0 | auto_approved |
| ts-expect | ^1.3.0 | auto_approved |
| chai-match | ^1.1.1 | Not imported |
| file-drops | ^0.7.0 | Not imported |
| remark-cli | ^12.0.1 | Not imported |
| sinon-chai | ^3.7.0 | auto_approved |
| typescript | ^5.9.3 | auto_approved |
| @babel/core | ^7.28.5 | auto_approved |
| karma-mocha | ^2.0.1 | auto_approved |
| babel-loader | ^10.0.0 | pending |
| npm-run-all2 | ^8.0.4 | auto_approved |
| @bpmn-io/a11y | ^0.1.0 | Not imported |
| karma-webpack | ^5.0.1 | auto_approved |
| karma-coverage | ^2.2.0 | auto_approved |
| karma-sinon-chai | ^2.0.2 | Not imported |
| @rollup/plugin-json | ^6.1.0 | auto_approved |
| camunda-bpmn-moddle | ^4.0.1 | auto_approved |
| karma-debug-launcher | ^0.0.5 | Not imported |
| @rollup/plugin-terser | ^1.0.0 | auto_approved |
| babel-plugin-istanbul | ^7.0.1 | auto_approved |
| eslint-plugin-bpmn-io | ^2.2.0 | Not imported |
| karma-safari-launcher | ^1.0.0 | auto_approved |
| remark-preset-bpmn-io | ^0.4.0 | Not imported |
| rollup-plugin-license | ^3.6.0 | pending |
| @rollup/plugin-replace | ^6.0.3 | auto_approved |
| karma-env-preprocessor | ^0.1.1 | Not imported |
| karma-firefox-launcher | ^2.1.3 | auto_approved |
| @rollup/plugin-commonjs | ^29.0.0 | auto_approved |
| karma-chrome-launcher-2 | ^3.3.0 | needs_review |
| @rollup/plugin-node-resolve | ^16.0.3 | auto_approved |
| mocha-test-container-support | 0.2.0 | Not imported |
Transitive Dependency Tree
17 transitive deps
max depth 3
├─
bpmn-moddle
^10.0.0
→ 10.0.0
├─
diagram-js
^15.10.0
→ 15.13.0
├─
diagram-js-direct-editing
^3.3.0
→ 3.3.0
├─
ids
^3.0.0
→ 3.0.2
├─
inherits-browser
^0.1.0
→ 0.1.0
├─
min-dash
^5.0.0
→ 5.0.0
├─
min-dom
^5.2.0
→ 5.3.0
├─
tiny-svg
^4.1.4
→ 4.1.4
├─
@bpmn-io/diagram-js-ui
^0.2.3
├─
clsx
^2.1.1
→ 2.1.1
├─
didi
^11.0.0
→ 11.0.0
├─
domify
^3.0.0
├─
inherits-browser
^0.1.0
├─
min-dash
^5.0.0
→ 5.0.0
├─
min-dom
^5.2.0
→ 5.3.0
├─
min-dom
^5.3.0
→ 5.3.0
├─
moddle
^8.0.0
→ 8.1.0
├─
moddle-xml
^12.0.0
→ 12.0.0
├─
object-refs
^0.4.0
├─
path-intersection
^4.1.0
→ 4.1.0
├─
tiny-svg
^4.1.4
├─
domify
^3.0.0
├─
min-dash
^5.0.0
→ 5.0.0
├─
saxen
^11.0.2
Risk Dispositions (2 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
publisher-changed |
provenance | reject | AI | AI (provenance): Publisher changed to a brand-new account with no track record; consistent with account compromise. | |
bogus-package |
bogus-package | reject | AI | AI (bogus-package): Spam-flagged maintainer added and effectively empty main entry point are disqualifying signals. |
SAST Findings (2)
HIGH
Publisher changed: nikku → alekseymanetov (on 2026-03-23)
provenance
This version was published by a different npm account than previous versions on 2026-03-23. This could indicate a legitimate maintainer transition or an account compromise.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 38. Findings: 1 high (+25), 1 medium (+10), 1 low (+3), 3 info (+0).
Commit: cc0989511e31 Browse source
Published to npm: