@emmetio/css-abbreviation
Parses Emmet CSS abbreviation into AST tree
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-takeover | AI (maintainer-change): serge.che is Sergey Chikuyonok, the original Emmet author (listed in package.json author field). This is a legitimate org account restructuring, not a hostile takeover. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher serge.che is the original Emmet creator; transition from emmetio to serge.che/emmetio-user is a legitimate account reorganization. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers emmetio-user and serge.che are the original Emmet project accounts; no hostile actor involved. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of emmetio account is part of the same legitimate org restructuring; serge.che is the original author. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @emmetio/scanner is a first-party dependency within the same Emmet organization namespace; consistent with legitimate refactoring. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 2.1.8 | 1 / 8 | |
| 2.1.7 | 1 / 8 | |
| 2.1.6 | 1 / 7 | |
| 2.1.5 | 1 / 7 | |
| 2.1.4 | 1 / 8 | |
| 2.1.3 | 1 / 8 | |
| 2.1.2 | 1 / 8 | |
| 2.1.1 | 1 / 8 | |
| 2.1.0 | 1 / 8 | |
| 2.0.1 | 1 / 8 | |
| 2.0.0 | 1 / 8 | |
| 0.4.0 | 3 / 4 | |
| 0.3.2 | 3 / 4 | |
| 0.3.1 | 3 / 4 | |
| 0.3.0 | 3 / 4 | |
| 0.2.2 | 2 / 4 | |
| 0.2.1 | 6 / 0 | |
| 0.2.0 | 6 / 0 | |
| 0.1.0 | 6 / 0 |
v2.1.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
3 findingsAll previous maintainers (emmetio) were replaced by new maintainers (emmetio-user, serge.che). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2020-04-14. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.