All sanitize-html versions

[email protected] rejected Risk: 83 MIT

sanitize-html @2.17.4

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
83
Risk Score
MIT
License
No
Install Scripts
7
Dependencies
4
Dev Dependencies
20.0 KB
Package Size
Published

Clean up user-submitted HTML, preserving allowlisted elements and allowlisted attributes on a per-element basis

Maintainers

alexgilbertboutellromanekbodonkey

Keywords

htmlparsersanitizersanitize

Dependencies (7)

PackageConstraintRegistry Status
launder ^1.7.1 pending
postcss ^8.3.11 auto_approved
deepmerge ^4.2.2 auto_approved
htmlparser2 ^10.1.0 auto_approved
parse-srcset ^1.0.2 auto_approved
is-plain-object ^5.0.0 auto_approved
escape-string-regexp ^4.0.0 auto_approved

Dev Dependencies (4)

PackageConstraintRegistry Status
mocha ^11.7.5 auto_approved
sinon ^9.0.2 auto_approved
eslint ^9.39.1 auto_approved
eslint-config-apostrophe ^6.0.2 Not imported

Transitive Dependency Tree

14 transitive deps max depth 5
  ├─ deepmerge ^4.2.2 → 4.3.1
  ├─ escape-string-regexp ^4.0.0 → 4.0.0
  ├─ htmlparser2 ^10.1.0 → 10.1.0
  ├─ is-plain-object ^5.0.0 → 5.0.0
  ├─ parse-srcset ^1.0.2 → 1.0.2
├─ postcss ^8.3.11 → 8.5.14
  ├─ domelementtype ^2.3.0 → 2.3.0
  ├─ domhandler ^5.0.3 → 5.0.3
  ├─ domutils ^3.2.2 → 3.2.2
  ├─ entities ^7.0.1 → 7.0.1
  ├─ nanoid ^3.3.11 → 3.3.12
  ├─ picocolors ^1.1.1 → 1.1.1
├─ source-map-js ^1.2.1 → 1.2.1
  ├─ dom-serializer ^2.0.0 → 2.0.0
  ├─ domelementtype ^2.3.0 → 2.3.0
├─ domhandler ^5.0.3 → 5.0.3
  ├─ domelementtype ^2.3.0 → 2.3.0
  ├─ domhandler ^5.0.2 → 5.0.3
├─ entities ^4.2.0 → 4.5.0
  ├─ domelementtype ^2.3.0 → 2.3.0

Changes from v2.17.2

Dependency Changes

ChangePackageVersion
added launder ^1.7.1

File Changes

0 added 0 removed 3 modified size delta: -.4 KB

SAST Findings (3)

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: boutell.

HIGH Publisher changed: bodonkey → boutell (on 2026-05-13) provenance

This version was published by a different npm account than previous versions on 2026-05-13. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 83. Findings: 2 high (+50), 3 medium (+30), 1 low (+3).

Published to npm: