← Home

vitepress-plugin-llms

32
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

okinea

Keywords

aidocumentationllmspluginvite-pluginvitepressvitepress-plugin

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:unist-util-remove AI (phantom-deps): Listed in dependencies; bundled into dist by bunup build tool. ai
phantom-deps phantom-dep:markdown-title AI (phantom-deps): Listed in dependencies; bundled into dist by bunup build tool. ai
phantom-deps phantom-dep:remark-frontmatter AI (phantom-deps): Listed in dependencies; bundled into dist by bunup build tool. ai
phantom-deps phantom-dep:remark AI (phantom-deps): Listed in dependencies; bundled into dist by bunup build tool. ai
phantom-deps phantom-dep:tokenx AI (phantom-deps): Listed in dependencies; bundled into dist by bunup build tool. ai
phantom-deps phantom-dep:millify AI (phantom-deps): Listed in dependencies; bundled into dist by bunup build tool. ai
phantom-deps phantom-dep:byte-size AI (phantom-deps): Listed in dependencies; bundled into dist by bunup build tool. ai
phantom-deps phantom-dep:minimatch AI (phantom-deps): Listed in dependencies; bundled into dist by bunup build tool. ai
phantom-deps phantom-dep:picocolors AI (phantom-deps): Listed in dependencies; bundled into dist by bunup build tool. ai
provenance publisher-changed AI (provenance): Transition from personal account to GitHub Actions CI/CD with SLSA provenance; consistent with legitimate automation adoption. ai
publish-pattern new-deps-added AI (publish-pattern): markdown-it and pretty-bytes are established packages; addition is benign for this VitePress plugin. ai
npm-metadata url-dep:@actions/github-script AI (npm-metadata): devDependency only; @actions/github-script is a CI utility not included in published package output. ai
dependencies unvetted-dep:markdown-it AI (dependencies): markdown-it is a widely-used, well-maintained markdown parser; not a risk for this package. ai
dependencies unvetted-dep:markdown-title AI (dependencies): markdown-title is a small, stable utility; no known risk for this package. ai

Versions (showing 32 of 32)

Version Deps Published
1.13.2 14 / 16
1.13.1 14 / 16
1.13.0 14 / 16
1.12.2 14 / 16
1.12.1 14 / 16
1.12.0 14 / 16
1.11.1 14 / 16
1.11.0 14 / 16
1.10.0 14 / 13
1.9.3 14 / 12
1.9.2 14 / 12
1.9.1 14 / 12
1.9.0 14 / 12
1.8.1 14 / 12
1.8.0 14 / 12
1.7.5 13 / 11
1.7.4 13 / 11
1.7.3 13 / 11
1.7.2 13 / 10
1.7.1 13 / 9
1.7.0 13 / 9
1.6.0 13 / 9
1.5.1 12 / 9
1.5.0 12 / 9
1.4.0 12 / 9
1.3.4 11 / 9
1.3.3 11 / 11
1.3.2 11 / 11
1.3.1 11 / 11
1.3.0 11 / 11
1.2.0 11 / 11
1.1.4 10 / 10

v1.13.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.13.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.13.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.9.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.8.1

2 findings
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: okinea → GitHub Actions (on 2025-10-24) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-24. This could indicate a legitimate maintainer transition or an account compromise.

v1.8.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.7.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.7.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.7.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.7.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.7.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.