@ant-design/colors — Greenflagged

Color palettes calculator of Ant Design

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

afc163zombiejchenshuai2144arvinxxmadcccranranup123

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-removed	AI (maintainer-change): Maintainer list cleanup during major version bump within the Ant Design org; publisher zombiej is a trusted long-term contributor.	ai	2026/04/21
provenance	publisher-changed	AI (provenance): Both afc163 and zombiej are long-standing Ant Design team members; intra-team publisher rotation is expected for this org-scoped package.	ai	2026/04/21
maintainer-change	maintainer-added	AI (maintainer-change): Maintainer expansion on an established Ant Design package; consistent with ecosystem growth and team collaboration.	ai	2026/04/21
phantom-deps	phantom-dep:tslint	AI (phantom-deps): tslint was accidentally placed in dependencies instead of devDependencies; it is not imported at runtime. Benign packaging mistake consistent across versions of this package.	ai	2026/04/21
dependencies	unvetted-dep:tslint	AI (dependencies): tslint is a dev linting tool mistakenly listed as a runtime dep; not actually used at runtime. No security risk for this package.	ai	2026/04/21
dependencies	unvetted-dep:tinycolor2	AI (dependencies): tinycolor2 is a legitimate, widely-used color library; appropriate dependency for a color palette calculator.	ai	2026/04/21
typosquat	typosquat.levenshtein:cors	AI (typosquat): @ant-design/colors is a scoped package from the official Ant Design org, not a typosquat of cors. Levenshtein match is spurious.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Established package with 4M weekly downloads and a trusted publisher; lack of Sigstore provenance is not a meaningful risk signal here.	ai	2026/04/21

Versions (showing 16 of 16)

Version	Deps	Published
8.0.1	1 / 14	2026-01-05
8.0.0	1 / 14	2025-03-21
7.2.1	1 / 13	2025-05-20
7.2.0	1 / 13	2024-12-31
7.1.0	1 / 12	2024-07-02
7.0.2	1 / 9	2024-01-02
7.0.1	1 / 9	2023-12-29
7.0.0	1 / 10	2023-01-09
6.0.0	1 / 13	2021-02-10
5.1.1	1 / 13	2021-02-10
5.1.0	1 / 14	2021-02-09
5.0.1	1 / 13	2020-12-14
5.0.0	1 / 14	2020-11-12
3.2.0	1 / 14	2019-08-28
2.0.3	2 / 8	2018-12-31
2.0.1	2 / 8	2018-12-31