@csstools/convert-colors

Convert colors between RGB, HEX, HSL, HWB, LAB, LCH, and more

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jonathantnealalagunaromainmenke

Keywords

colorscontrastconversionsconvertingconvertshexhslhsvhwblablchrgbxyzbluegreenredblacknesshuelightnesssaturationwhitenesscieciede2000contrastwcag

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:index.mjs	AI (source-diff): Minified Rollup+Terser output with source maps shipped; standard bundled library pattern for this package.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): romainmenke is a known csstools org contributor with a strong track record (894 approved, 0 rejected). This is a legitimate org-level maintainer transition, not a takeover.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers (romainmenke, alaguna) are csstools org members. Legitimate org-level transfer consistent with the publisher's track record.	ai	2026/04/23
publish-pattern	dormant-publish	AI (publish-pattern): Package is a stable color conversion utility; dormancy reflects completion, not abandonment. Revival by a known csstools org member for build tooling updates is benign.	ai	2026/04/23

Versions (showing 6 of 6)

Version	Deps	Published
2.0.1	0 / 5	2026-02-21
2.0.0	0 / 11	2019-01-29
1.4.0	0 / 8	2018-01-28
1.3.0	0 / 8	2018-01-26
1.1.0	0 / 8	2018-01-22
1.0.0	0 / 8	2018-01-22

v2.0.1

2 findings

HIGH Publisher changed: jonathantneal → romainmenke (on 2026-02-21) provenance

This version was published by a different npm account than previous versions on 2026-02-21. This could indicate a legitimate maintainer transition or an account compromise.