fumadocs-core @16.8.9
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
80
Risk Score
—
License
No
Install Scripts
17
Dependencies
32
Dev Dependencies
125.2 KB
Package Size
Published
Maintainers
sonmoosans
Keywords
DocsFumadocs
Dependencies (17)
| Package | Constraint | Registry Status |
|---|---|---|
| shiki | ^4.0.2 | auto_approved |
| vfile | ^6.0.3 | auto_approved |
| remark | ^15.0.1 | auto_approved |
| js-yaml | ^4.1.1 | auto_approved |
| unified | ^11.0.5 | auto_approved |
| remark-gfm | ^4.0.1 | auto_approved |
| tinyglobby | ^0.2.16 | auto_approved |
| @orama/orama | ^3.1.18 | auto_approved |
| remark-rehype | ^11.1.2 | auto_approved |
| github-slugger | ^2.0.0 | auto_approved |
| mdast-util-mdx | ^3.0.0 | auto_approved |
| unist-util-visit | ^5.1.0 | auto_approved |
| hast-util-to-estree | ^3.1.3 | auto_approved |
| mdast-util-to-markdown | ^2.1.2 | auto_approved |
| hast-util-to-jsx-runtime | ^2.3.6 | auto_approved |
| scroll-into-view-if-needed | ^3.1.0 | auto_approved |
| estree-util-value-to-estree | ^3.5.0 | auto_approved |
Dev Dependencies (32)
| Package | Constraint | Registry Status |
|---|---|---|
| zod | ^4.4.3 | auto_approved |
| next | 16.2.6 | auto_approved |
| waku | 1.0.0-alpha.10 | auto_approved |
| tsdown | 0.22.0 | needs_review |
| tsconfig | 0.0.0 | pending |
| flexsearch | ^0.8.212 | needs_review |
| image-size | ^2.0.2 | auto_approved |
| negotiator | ^1.0.0 | auto_approved |
| remark-mdx | ^3.1.1 | auto_approved |
| typescript | ^6.0.3 | auto_approved |
| @mdx-js/mdx | ^3.1.1 | auto_approved |
| @orama/core | ^1.2.19 | Not imported |
| @types/hast | ^3.0.4 | auto_approved |
| @types/node | 25.6.2 | auto_approved |
| npm-to-yarn | ^3.0.1 | auto_approved |
| @types/mdast | ^4.0.4 | auto_approved |
| @types/react | ^19.2.14 | auto_approved |
| lucide-react | ^1.14.0 | auto_approved |
| react-router | ^7.15.0 | auto_approved |
| algoliasearch | 5.52.1 | auto_approved |
| @types/js-yaml | ^4.0.9 | auto_approved |
| path-to-regexp | ^8.4.2 | auto_approved |
| @mixedbread/sdk | ^0.65.0 | auto_approved |
| remove-markdown | ^0.6.4 | auto_approved |
| @types/react-dom | ^19.2.3 | auto_approved |
| remark-directive | ^4.0.0 | auto_approved |
| @types/estree-jsx | ^1.0.5 | auto_approved |
| @types/negotiator | ^0.6.4 | auto_approved |
| @oramacloud/client | ^2.1.4 | Not imported |
| @shikijs/transformers | ^4.0.2 | auto_approved |
| @tanstack/react-router | 1.169.2 | auto_approved |
| @formatjs/intl-localematcher | ^0.8.6 | auto_approved |
Transitive Dependency Tree
125 transitive deps
max depth 10
├─
@orama/orama
^3.1.18
→ 3.1.18
├─
estree-util-value-to-estree
^3.5.0
→ 3.5.0
├─
github-slugger
^2.0.0
→ 2.0.0
├─
hast-util-to-estree
^3.1.3
→ 3.1.3
├─
hast-util-to-jsx-runtime
^2.3.6
→ 2.3.6
├─
js-yaml
^4.1.1
→ 4.1.1
├─
mdast-util-mdx
^3.0.0
→ 3.0.0
├─
mdast-util-to-markdown
^2.1.2
→ 2.1.2
├─
remark
^15.0.1
→ 15.0.1
├─
remark-gfm
^4.0.1
→ 4.0.1
├─
remark-rehype
^11.1.2
→ 11.1.2
├─
scroll-into-view-if-needed
^3.1.0
→ 3.1.0
├─
shiki
^4.0.2
→ 4.0.2
├─
tinyglobby
^0.2.16
→ 0.2.16
├─
unified
^11.0.5
→ 11.0.5
├─
unist-util-visit
^5.1.0
→ 5.1.0
├─
vfile
^6.0.3
→ 6.0.3
├─
@shikijs/core
4.0.2
→ 4.0.2
├─
@shikijs/engine-javascript
4.0.2
→ 4.0.2
├─
@shikijs/engine-oniguruma
4.0.2
→ 4.0.2
├─
@shikijs/langs
4.0.2
→ 4.0.2
├─
@shikijs/themes
4.0.2
→ 4.0.2
├─
@shikijs/types
4.0.2
→ 4.0.2
├─
@shikijs/vscode-textmate
^10.0.2
→ 10.0.2
├─
@types/estree
^1.0.0
→ 1.0.8
├─
@types/estree-jsx
^1.0.0
→ 1.0.5
├─
@types/hast
^3.0.0
→ 3.0.4
├─
@types/hast
^3.0.4
→ 3.0.4
├─
@types/mdast
^4.0.0
├─
@types/unist
^3.0.0
→ 3.0.3
├─
argparse
^2.0.1
→ 2.0.1
├─
bail
^2.0.0
→ 2.0.2
├─
comma-separated-tokens
^2.0.0
→ 2.0.3
├─
comma-separated-tokens
^2.0.0
├─
compute-scroll-into-view
^3.0.2
├─
devlop
^1.0.0
→ 1.1.0
├─
estree-util-attach-comments
^3.0.0
├─
estree-util-is-identifier-name
^3.0.0
→ 3.0.0
├─
extend
^3.0.0
→ 3.0.2
├─
fdir
^6.5.0
→ 6.5.0
├─
hast-util-whitespace
^3.0.0
→ 3.0.0
├─
is-plain-obj
^4.0.0
→ 4.1.0
├─
longest-streak
^3.0.0
├─
mdast-util-from-markdown
^2.0.0
→ 2.0.3
├─
mdast-util-gfm
^3.0.0
→ 3.1.0
├─
mdast-util-mdx-expression
^2.0.0
→ 2.0.1
├─
mdast-util-mdx-jsx
^3.0.0
→ 3.2.0
├─
mdast-util-mdxjs-esm
^2.0.0
→ 2.0.1
├─
mdast-util-phrasing
^4.0.0
→ 4.1.0
├─
mdast-util-to-hast
^13.0.0
├─
mdast-util-to-markdown
^2.0.0
→ 2.1.2
├─
mdast-util-to-string
^4.0.0
├─
micromark-extension-gfm
^3.0.0
→ 3.0.0
├─
micromark-util-classify-character
^2.0.0
├─
micromark-util-decode-string
^2.0.0
→ 2.0.1
├─
picomatch
^4.0.4
→ 4.0.4
├─
property-information
^7.0.0
→ 7.1.0
├─
remark-parse
^11.0.0
├─
remark-stringify
^11.0.0
→ 11.0.0
├─
space-separated-tokens
^2.0.0
├─
space-separated-tokens
^2.0.0
→ 2.0.2
├─
style-to-js
^1.0.0
→ 1.1.21
├─
trough
^2.0.0
→ 2.2.0
├─
unified
^11.0.0
→ 11.0.5
├─
unist-util-is
^6.0.0
→ 6.0.1
├─
unist-util-position
^5.0.0
→ 5.0.0
├─
unist-util-position
^5.0.0
├─
unist-util-visit
^5.0.0
→ 5.0.0
├─
unist-util-visit-parents
^6.0.0
→ 6.0.2
├─
vfile
^6.0.0
→ 6.0.3
├─
vfile-message
^4.0.0
→ 4.0.3
├─
zwitch
^2.0.0
├─
@shikijs/primitive
4.0.2
→ 4.0.2
├─
@shikijs/types
4.0.2
→ 4.0.2
├─
@shikijs/vscode-textmate
^10.0.2
→ 10.0.2
├─
@types/estree
*
→ 1.0.8
├─
@types/estree-jsx
^1.0.0
→ 1.0.5
├─
@types/hast
^3.0.0
→ 3.0.4
├─
@types/hast
^3.0.4
→ 3.0.4
├─
@types/mdast
^4.0.0
├─
@types/unist
^3.0.0
→ 3.0.3
├─
@types/unist
*
├─
bail
^2.0.0
→ 2.0.2
├─
ccount
^2.0.0
├─
decode-named-character-reference
^1.0.0
→ 1.3.0
├─
dequal
^2.0.0
→ 2.0.3
├─
devlop
^1.0.0
→ 1.1.0
├─
devlop
^1.1.0
→ 1.1.0
├─
extend
^3.0.0
→ 3.0.2
├─
hast-util-to-html
^9.0.5
→ 9.0.5
├─
is-plain-obj
^4.0.0
→ 4.1.0
├─
longest-streak
^3.0.0
├─
mdast-util-from-markdown
^2.0.0
→ 2.0.3
├─
mdast-util-gfm-autolink-literal
^2.0.0
→ 2.0.1
├─
mdast-util-gfm-footnote
^2.0.0
→ 2.1.0
├─
mdast-util-gfm-strikethrough
^2.0.0
→ 2.0.0
├─
mdast-util-gfm-table
^2.0.0
→ 2.0.0
├─
mdast-util-gfm-task-list-item
^2.0.0
→ 2.0.0
├─
mdast-util-phrasing
^4.0.0
→ 4.1.0
├─
mdast-util-to-markdown
^2.0.0
→ 2.1.2
├─
mdast-util-to-string
^4.0.0
├─
micromark
^4.0.0
→ 4.0.2
├─
micromark-extension-gfm-autolink-literal
^2.0.0
→ 2.1.0
├─
micromark-extension-gfm-footnote
^2.0.0
→ 2.1.0
├─
micromark-extension-gfm-strikethrough
^2.0.0
→ 2.1.0
├─
micromark-extension-gfm-table
^2.0.0
→ 2.1.1
├─
micromark-extension-gfm-tagfilter
^2.0.0
├─
micromark-extension-gfm-task-list-item
^2.0.0
→ 2.1.0
├─
micromark-util-character
^2.0.0
→ 2.1.1
├─
micromark-util-classify-character
^2.0.0
├─
micromark-util-combine-extensions
^2.0.0
→ 2.0.1
├─
micromark-util-decode-numeric-character-reference
^2.0.0
├─
micromark-util-decode-numeric-character-reference
^2.0.0
→ 2.0.2
├─
micromark-util-decode-string
^2.0.0
→ 2.0.1
├─
micromark-util-normalize-identifier
^2.0.0
├─
micromark-util-symbol
^2.0.0
├─
micromark-util-symbol
^2.0.0
→ 2.0.1
├─
micromark-util-types
^2.0.0
├─
oniguruma-to-es
^4.3.4
→ 4.3.6
├─
parse-entities
^4.0.0
→ 4.0.2
├─
stringify-entities
^4.0.0
→ 4.0.4
├─
style-to-object
1.0.14
→ 1.0.14
├─
trough
^2.0.0
→ 2.2.0
├─
unified
^11.0.0
→ 11.0.5
├─
unist-util-is
^6.0.0
→ 6.0.1
├─
unist-util-stringify-position
^4.0.0
├─
unist-util-visit
^5.0.0
→ 5.0.0
├─
unist-util-visit-parents
^6.0.0
→ 6.0.2
├─
vfile
^6.0.0
→ 6.0.3
├─
vfile-message
^4.0.0
→ 4.0.3
├─
zwitch
^2.0.0
├─
@shikijs/types
4.0.2
→ 4.0.2
├─
@shikijs/vscode-textmate
^10.0.2
→ 10.0.2
├─
@types/debug
^4.0.0
→ 4.1.13
├─
@types/estree
*
→ 1.0.8
├─
@types/hast
^3.0.4
→ 3.0.4
├─
@types/hast
^3.0.0
→ 3.0.4
├─
@types/mdast
^4.0.0
├─
@types/unist
*
├─
@types/unist
^3.0.0
→ 3.0.3
├─
@types/unist
^2.0.0
├─
bail
^2.0.0
→ 2.0.2
├─
ccount
^2.0.0
├─
ccount
^2.0.0
→ 2.0.1
├─
character-entities
^2.0.0
├─
character-entities-html4
^2.0.0
├─
character-entities-legacy
^3.0.0
├─
character-reference-invalid
^2.0.0
├─
comma-separated-tokens
^2.0.0
→ 2.0.3
├─
debug
^4.0.0
→ 4.4.3
├─
decode-named-character-reference
^1.0.0
→ 1.3.0
├─
dequal
^2.0.0
→ 2.0.3
├─
devlop
^1.0.0
→ 1.1.0
├─
devlop
^1.1.0
→ 1.1.0
├─
extend
^3.0.0
→ 3.0.2
├─
hast-util-whitespace
^3.0.0
→ 3.0.0
├─
html-void-elements
^3.0.0
→ 3.0.0
├─
inline-style-parser
0.2.7
→ 0.2.7
├─
is-alphanumerical
^2.0.0
→ 2.0.1
├─
is-decimal
^2.0.0
├─
is-hexadecimal
^2.0.0
├─
is-plain-obj
^4.0.0
→ 4.1.0
├─
longest-streak
^3.0.0
├─
markdown-table
^3.0.0
→ 3.0.4
├─
mdast-util-find-and-replace
^3.0.0
→ 3.0.2
├─
mdast-util-from-markdown
^2.0.0
→ 2.0.3
├─
mdast-util-phrasing
^4.0.0
→ 4.1.0
├─
mdast-util-to-hast
^13.0.0
├─
mdast-util-to-markdown
^2.0.0
→ 2.1.2
├─
mdast-util-to-string
^4.0.0
├─
micromark
^4.0.0
→ 4.0.2
├─
micromark-core-commonmark
^2.0.0
→ 2.0.3
├─
micromark-factory-space
^2.0.0
→ 2.0.1
├─
micromark-util-character
^2.0.0
→ 2.1.1
├─
micromark-util-chunked
^2.0.0
├─
micromark-util-classify-character
^2.0.0
├─
micromark-util-combine-extensions
^2.0.0
→ 2.0.1
├─
micromark-util-decode-numeric-character-reference
^2.0.0
→ 2.0.2
├─
micromark-util-decode-numeric-character-reference
^2.0.0
├─
micromark-util-decode-string
^2.0.0
→ 2.0.1
├─
micromark-util-encode
^2.0.0
├─
micromark-util-normalize-identifier
^2.0.0
├─
micromark-util-resolve-all
^2.0.0
├─
micromark-util-sanitize-uri
^2.0.0
→ 2.0.1
├─
micromark-util-subtokenize
^2.0.0
→ 2.1.0
├─
micromark-util-symbol
^2.0.0
├─
micromark-util-symbol
^2.0.0
→ 2.0.1
├─
micromark-util-types
^2.0.0
├─
micromark-util-types
^2.0.0
→ 2.0.2
├─
oniguruma-parser
^0.12.2
├─
property-information
^7.0.0
→ 7.1.0
├─
regex
^6.1.0
→ 6.1.0
├─
regex-recursion
^6.0.2
→ 6.0.2
├─
space-separated-tokens
^2.0.0
→ 2.0.2
├─
stringify-entities
^4.0.0
→ 4.0.4
├─
trough
^2.0.0
→ 2.2.0
├─
unist-util-is
^6.0.0
→ 6.0.1
├─
unist-util-stringify-position
^4.0.0
├─
unist-util-visit
^5.0.0
→ 5.0.0
├─
unist-util-visit-parents
^6.0.0
→ 6.0.2
├─
vfile
^6.0.0
→ 6.0.3
├─
vfile-message
^4.0.0
→ 4.0.3
├─
zwitch
^2.0.4
→ 2.0.4
├─
zwitch
^2.0.0
├─
@shikijs/vscode-textmate
^10.0.2
→ 10.0.2
├─
@types/debug
^4.0.0
→ 4.1.13
├─
@types/hast
^3.0.0
→ 3.0.4
├─
@types/hast
^3.0.4
→ 3.0.4
├─
@types/mdast
^4.0.0
├─
@types/ms
*
├─
@types/unist
*
├─
@types/unist
^3.0.0
→ 3.0.3
├─
character-entities
^2.0.0
├─
character-entities-html4
^2.0.0
├─
character-entities-legacy
^3.0.0
├─
debug
^4.0.0
→ 4.4.3
├─
decode-named-character-reference
^1.0.0
→ 1.3.0
├─
dequal
^2.0.0
→ 2.0.3
├─
devlop
^1.0.0
→ 1.1.0
├─
escape-string-regexp
^5.0.0
→ 5.0.0
├─
is-alphabetical
^2.0.0
→ 2.0.1
├─
is-decimal
^2.0.0
├─
longest-streak
^3.0.0
├─
mdast-util-phrasing
^4.0.0
→ 4.1.0
├─
mdast-util-to-string
^4.0.0
├─
micromark
^4.0.0
→ 4.0.2
├─
micromark-core-commonmark
^2.0.0
→ 2.0.3
├─
micromark-factory-destination
^2.0.0
├─
micromark-factory-label
^2.0.0
→ 2.0.1
├─
micromark-factory-space
^2.0.0
→ 2.0.1
├─
micromark-factory-title
^2.0.0
├─
micromark-factory-whitespace
^2.0.0
→ 2.0.1
├─
micromark-util-character
^2.0.0
→ 2.1.1
├─
micromark-util-chunked
^2.0.0
├─
micromark-util-chunked
^2.0.0
→ 2.0.1
├─
micromark-util-classify-character
^2.0.0
→ 2.0.1
├─
micromark-util-classify-character
^2.0.0
├─
micromark-util-combine-extensions
^2.0.0
→ 2.0.1
├─
micromark-util-decode-numeric-character-reference
^2.0.0
→ 2.0.2
├─
micromark-util-decode-numeric-character-reference
^2.0.0
├─
micromark-util-decode-string
^2.0.0
→ 2.0.1
├─
micromark-util-encode
^2.0.0
├─
micromark-util-html-tag-name
^2.0.0
├─
micromark-util-normalize-identifier
^2.0.0
→ 2.0.1
├─
micromark-util-normalize-identifier
^2.0.0
├─
micromark-util-resolve-all
^2.0.0
├─
micromark-util-sanitize-uri
^2.0.0
→ 2.0.1
├─
micromark-util-subtokenize
^2.0.0
→ 2.1.0
├─
micromark-util-symbol
^2.0.0
→ 2.0.1
├─
micromark-util-symbol
^2.0.0
├─
micromark-util-types
^2.0.0
→ 2.0.2
├─
micromark-util-types
^2.0.0
├─
ms
^2.1.3
→ 2.1.3
├─
regex-utilities
^2.3.0
├─
unist-util-is
^6.0.0
→ 6.0.1
├─
unist-util-is
^6.0.0
├─
unist-util-stringify-position
^4.0.0
├─
unist-util-visit
^5.0.0
→ 5.0.0
├─
unist-util-visit-parents
^6.0.0
→ 6.0.2
├─
vfile-message
^4.0.0
→ 4.0.3
├─
zwitch
^2.0.0
├─
@types/debug
^4.0.0
→ 4.1.13
├─
@types/mdast
^4.0.0
├─
@types/ms
*
├─
@types/unist
*
├─
@types/unist
^3.0.0
→ 3.0.3
├─
character-entities
^2.0.0
├─
debug
^4.0.0
→ 4.4.3
├─
decode-named-character-reference
^1.0.0
→ 1.3.0
├─
dequal
^2.0.0
→ 2.0.3
├─
devlop
^1.0.0
→ 1.1.0
├─
micromark-core-commonmark
^2.0.0
→ 2.0.3
├─
micromark-factory-destination
^2.0.0
├─
micromark-factory-label
^2.0.0
→ 2.0.1
├─
micromark-factory-space
^2.0.0
→ 2.0.1
├─
micromark-factory-title
^2.0.0
├─
micromark-factory-whitespace
^2.0.0
→ 2.0.1
├─
micromark-util-character
^2.0.0
→ 2.1.1
├─
micromark-util-chunked
^2.0.0
├─
micromark-util-chunked
^2.0.0
→ 2.0.1
├─
micromark-util-classify-character
^2.0.0
→ 2.0.1
├─
micromark-util-combine-extensions
^2.0.0
→ 2.0.1
├─
micromark-util-decode-numeric-character-reference
^2.0.0
→ 2.0.2
├─
micromark-util-encode
^2.0.0
├─
micromark-util-html-tag-name
^2.0.0
├─
micromark-util-normalize-identifier
^2.0.0
→ 2.0.1
├─
micromark-util-normalize-identifier
^2.0.0
├─
micromark-util-resolve-all
^2.0.0
├─
micromark-util-sanitize-uri
^2.0.0
→ 2.0.1
├─
micromark-util-subtokenize
^2.0.0
→ 2.1.0
├─
micromark-util-symbol
^2.0.0
→ 2.0.1
├─
micromark-util-symbol
^2.0.0
├─
micromark-util-types
^2.0.0
├─
micromark-util-types
^2.0.0
→ 2.0.2
├─
ms
^2.1.3
→ 2.1.3
├─
unist-util-is
^6.0.0
→ 6.0.1
├─
unist-util-stringify-position
^4.0.0
├─
unist-util-visit-parents
^6.0.0
→ 6.0.2
├─
@types/ms
*
├─
@types/unist
^3.0.0
→ 3.0.3
├─
character-entities
^2.0.0
├─
decode-named-character-reference
^1.0.0
→ 1.3.0
├─
dequal
^2.0.0
→ 2.0.3
├─
devlop
^1.0.0
→ 1.1.0
├─
micromark-factory-destination
^2.0.0
├─
micromark-factory-label
^2.0.0
→ 2.0.1
├─
micromark-factory-space
^2.0.0
→ 2.0.1
├─
micromark-factory-title
^2.0.0
├─
micromark-factory-whitespace
^2.0.0
→ 2.0.1
├─
micromark-util-character
^2.0.0
→ 2.1.1
├─
micromark-util-chunked
^2.0.0
→ 2.0.1
├─
micromark-util-chunked
^2.0.0
├─
micromark-util-classify-character
^2.0.0
→ 2.0.1
├─
micromark-util-encode
^2.0.0
├─
micromark-util-html-tag-name
^2.0.0
├─
micromark-util-normalize-identifier
^2.0.0
→ 2.0.1
├─
micromark-util-resolve-all
^2.0.0
├─
micromark-util-subtokenize
^2.0.0
→ 2.1.0
├─
micromark-util-symbol
^2.0.0
├─
micromark-util-symbol
^2.0.0
→ 2.0.1
├─
micromark-util-types
^2.0.0
├─
micromark-util-types
^2.0.0
→ 2.0.2
├─
ms
^2.1.3
→ 2.1.3
├─
unist-util-is
^6.0.0
→ 6.0.1
├─
@types/unist
^3.0.0
→ 3.0.3
├─
character-entities
^2.0.0
├─
dequal
^2.0.0
→ 2.0.3
├─
devlop
^1.0.0
→ 1.1.0
├─
micromark-factory-space
^2.0.0
→ 2.0.1
├─
micromark-util-character
^2.0.0
→ 2.1.1
├─
micromark-util-chunked
^2.0.0
→ 2.0.1
├─
micromark-util-symbol
^2.0.0
├─
micromark-util-symbol
^2.0.0
→ 2.0.1
├─
micromark-util-types
^2.0.0
├─
micromark-util-types
^2.0.0
→ 2.0.2
├─
dequal
^2.0.0
→ 2.0.3
├─
micromark-util-character
^2.0.0
→ 2.1.1
├─
micromark-util-symbol
^2.0.0
→ 2.0.1
├─
micromark-util-symbol
^2.0.0
├─
micromark-util-types
^2.0.0
├─
micromark-util-symbol
^2.0.0
├─
micromark-util-types
^2.0.0
Changes from v16.8.8
No metadata changes detected.
File Changes
2 added
2 removed
13 modified
size delta: +.5 KB
Risk Dispositions (2 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
regressed-provenance |
provenance | reject | AI | AI (provenance): Provenance regression combined with publisher change is a strong compromise signal for this package. | |
publisher-changed |
provenance | reject | AI | AI (provenance): Publisher changed from GitHub Actions to a human account first seen 24 days ago with no prior publish history. |
SAST Findings (2)
CRITICAL
Provenance attestation missing — previous versions had it
provenance
[Always reject] This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.
CRITICAL
Publisher changed: GitHub Actions → sonmoosans (on 2026-05-10)
provenance
[Always reject] This version was published by a different npm account than previous versions on 2026-05-10. This could indicate a legitimate maintainer transition or an account compromise.
Review Summary
Risk score: 80. Findings: 2 critical (+80), 3 info (+0).
Published to npm: