@elhub/ds-css — Greenflagged

CSS for Elhub design system

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

paloskarssandoy-elhub

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions CI/CD publishing with SLSA attestation; expected for org-managed packages.	ai	2026/06/09
phantom-deps	phantom-dep:@elhub/ds-tokens	AI (phantom-deps): Same-org CSS token package; referenced via PostCSS import in CSS files, not JS imports.	ai	2026/05/16
phantom-deps	phantom-dep:rc-motion	AI (phantom-deps): CSS-only package; rc-motion styles likely referenced in PostCSS config, not JS imports.	ai	2026/05/16
phantom-deps	phantom-dep:react-datepicker	AI (phantom-deps): CSS-only package; react-datepicker styles likely referenced in PostCSS config, not JS imports.	ai	2026/05/16

Versions (showing 4 of 4)

Version	Deps	Published
6.1.6	3 / 9	2026-06-08
6.1.5	3 / 9	2026-05-06
6.1.4	3 / 9	2026-05-06
6.1.3	3 / 9	2026-04-30

v6.1.6

2 findings

HIGH Publisher changed: paloskar → GitHub Actions (on 2026-06-08) provenance

This version was published by a different npm account than previous versions on 2026-06-08. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.1.5

2 findings

HIGH Publisher changed: paloskar → GitHub Actions (on 2026-05-06) provenance

This version was published by a different npm account than previous versions on 2026-05-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.1.4

2 findings

HIGH Publisher changed: paloskar → GitHub Actions (on 2026-05-06) provenance

This version was published by a different npm account than previous versions on 2026-05-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.1.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.