document-model
Install the library:
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:sha1-uint8array | AI (dependencies): sha1-uint8array is a well-known lightweight SHA1 library for Uint8Array; its use is appropriate for document hashing in this package and is not a security concern. | ai | |
| license | copyleft-license:AGPL-3.0-only | AI (license): AGPL-3.0-only is the declared license for this package; it is a legal/compliance concern, not a security risk. Stable for all versions of this package. | ai |
Versions (showing 15 of 15)
| Version | Deps | Published |
|---|---|---|
| 6.1.0 | 3 / 10 | |
| 5.3.6 | 7 / 11 | |
| 5.0.12 | 7 / 11 | |
| 5.0.11 | 7 / 11 | |
| 5.0.10 | 7 / 11 | |
| 5.0.9 | 7 / 11 | |
| 5.0.8 | 7 / 11 | |
| 5.0.7 | 7 / 11 | |
| 5.0.6 | 7 / 11 | |
| 5.0.5 | 7 / 11 | |
| 5.0.4 | 7 / 11 | |
| 5.0.3 | 7 / 11 | |
| 5.0.2 | 7 / 11 | |
| 5.0.1 | 7 / 11 | |
| 5.0.0 | 7 / 11 |
v6.1.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (memo.dev) than the most recent previously approved version (acaldas.powerhouse) on 2026-06-03, but memo.dev is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v5.3.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.