@csstools/css-color-parser MIT 43 versions

@csstools/css-color-parser

npm Repository Homepage

Parse CSS color values

43

Versions

MIT

License

No

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jonathantnealalagunaromainmenke

Keywords

colorcssparser

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from alaguna to romainmenke is a documented handoff within the csstools org; both are listed as contributors in package.json. romainmenke has a strong track record (927 approved, 0 rejected).	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): romainmenke is a co-contributor explicitly listed in package.json and is a highly trusted publisher in the ecosystem. Addition is legitimate.	ai	2026/04/24
dependencies	unvetted-dep:@csstools/color-helpers	AI (dependencies): Sibling package within the same @csstools org/monorepo; same publisher and trust chain as this package.	ai	2026/04/21
phantom-deps	phantom-dep:@csstools/css-calc	AI (phantom-deps): Same-org dependency declared in package.json; phantom-dep flag is a false positive for this CSS tooling package.	ai	2026/04/21

Versions (showing 43 of 43)

Version	Deps	Published
4.1.1	2 / 0	2026-05-13
4.1.0	2 / 0	2026-04-12
4.0.2	2 / 0	2026-02-21
4.0.1	2 / 0	2026-01-25
4.0.0	2 / 0	2026-01-14
3.1.0	2 / 0	2025-08-22
3.0.10	2 / 0	2025-05-27
3.0.9	2 / 0	2025-04-19
3.0.8	2 / 0	2025-02-23
3.0.7	2 / 0	2024-12-27
3.0.6	2 / 0	2024-11-11
3.0.5	2 / 0	2024-11-01
3.0.4	2 / 0	2024-10-23
3.0.3	2 / 0	2024-10-10
3.0.2	2 / 0	2024-08-18
3.0.1	2 / 0	2024-08-14
3.0.0	2 / 0	2024-08-03
2.0.5	2 / 0	2024-07-13
2.0.4	2 / 0	2024-07-06
2.0.3	2 / 0	2024-06-29
2.0.2	2 / 0	2024-05-04
2.0.1	2 / 0	2024-05-04
2.0.0	2 / 0	2024-04-21
1.6.3	2 / 0	2024-03-31
1.6.2	2 / 0	2024-03-16
1.6.1	2 / 0	2024-03-16
1.6.0	2 / 0	2024-03-13
1.5.2	2 / 0	2024-02-19
1.5.1	2 / 0	2023-12-31
1.5.0	2 / 0	2023-12-15
1.4.0	2 / 0	2023-10-09
1.3.3	2 / 0	2023-10-02
1.3.2	2 / 0	2023-09-24
1.3.1	2 / 0	2023-09-02
1.3.0	2 / 0	2023-08-28
1.2.3	2 / 0	2023-07-24
1.2.2	2 / 0	2023-07-03
1.2.1	2 / 0	2023-06-14
1.2.0	2 / 0	2023-05-19
1.1.2	2 / 0	2023-04-10
1.1.1	2 / 0	2023-04-10
1.1.0	2 / 0	2023-03-28
1.0.0	2 / 0	2023-03-25

v4.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.10

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.0

2 findings

HIGH Publisher changed: alaguna → romainmenke (on 2024-04-21) provenance

This version was published by a different npm account than previous versions on 2024-04-21. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.3

2 findings

HIGH Publisher changed: alaguna → romainmenke (on 2024-03-31) provenance

This version was published by a different npm account than previous versions on 2024-03-31. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.2

2 findings

HIGH Publisher changed: alaguna → romainmenke (on 2024-03-16) provenance

This version was published by a different npm account than previous versions on 2024-03-16. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.1

2 findings

HIGH Publisher changed: alaguna → romainmenke (on 2024-03-16) provenance

This version was published by a different npm account than previous versions on 2024-03-16. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.0

2 findings

HIGH Publisher changed: alaguna → romainmenke (on 2024-03-13) provenance

This version was published by a different npm account than previous versions on 2024-03-13. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.5.2

2 findings

HIGH Publisher changed: alaguna → romainmenke (on 2024-02-19) provenance

This version was published by a different npm account than previous versions on 2024-02-19. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.5.1

2 findings

HIGH Publisher changed: alaguna → romainmenke (on 2023-12-31) provenance

This version was published by a different npm account than previous versions on 2023-12-31. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.5.0

2 findings

HIGH Publisher changed: alaguna → romainmenke (on 2023-12-15) provenance

This version was published by a different npm account than previous versions on 2023-12-15. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.0

2 findings

HIGH Publisher changed: alaguna → romainmenke (on 2023-10-09) provenance

This version was published by a different npm account than previous versions on 2023-10-09. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.3

2 findings

HIGH Publisher changed: alaguna → romainmenke (on 2023-10-02) provenance

This version was published by a different npm account than previous versions on 2023-10-02. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.2

2 findings

HIGH Publisher changed: alaguna → romainmenke (on 2023-09-24) provenance

This version was published by a different npm account than previous versions on 2023-09-24. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.1

2 findings

HIGH Publisher changed: alaguna → romainmenke (on 2023-09-02) provenance

This version was published by a different npm account than previous versions on 2023-09-02. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.0

2 findings

HIGH Publisher changed: alaguna → romainmenke (on 2023-08-28) provenance

This version was published by a different npm account than previous versions on 2023-08-28. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.3

2 findings

HIGH Publisher changed: alaguna → romainmenke (on 2023-07-24) provenance

This version was published by a different npm account than previous versions on 2023-07-24. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.