@emotion/css — Greenflagged

The Next Generation of CSS-in-JS.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

emmatowntkh44emotion-release-botandarist

Keywords

stylesemotionreactcsscss-in-js

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): All new deps (@emotion/cache, @emotion/sheet, @emotion/babel-plugin) are first-party emotion scoped packages. Replacing babel-plugin-emotion with @emotion/babel-plugin is the documented v11 migration.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): mitchellhamilton's removal is part of the documented emotion-js org transition to a release bot model. No compromise indicators.	ai	2026/04/22
source-diff	large-new-source-files	AI (source-diff): v10→v11 major version adds multiple dist formats (CJS/ESM/UMD, dev/prod, create-instance entrypoint). Size increase is structural, not injected payload.	ai	2026/04/22
source-diff	source-size-tripled	AI (source-diff): Size increase from 3KB to 60KB reflects the v11 multi-format distribution (CJS, ESM, UMD, TypeScript types, create-instance). Fully explained by legitimate packaging changes.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): emotion-release-bot is the official release account for the emotion-js org; transition from mitchellhamilton is documented and legitimate. Stable for this package.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): emmatown, emotion-release-bot, and andarist are recognized emotion-js contributors. This is a legitimate team transition, not a takeover.	ai	2026/04/22
typosquat	typosquat.levenshtein:qs	AI (typosquat): @emotion/css is the legitimate Emotion CSS-in-JS library, not a typosquat of 'qs'. The scoped package name and completely different domain make this a clear false positive.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Emotion packages are published via a release bot without Sigstore provenance; this is consistent across all their packages and is not a risk signal for this well-established publisher.	ai	2026/04/21
typosquat	typosquat.levenshtein:cors	AI (typosquat): @emotion/css is the legitimate Emotion CSS-in-JS library, not a typosquat of 'cors'. The scoped package name and completely different domain make this a clear false positive.	ai	2026/04/21

Versions (showing 48 of 48)

Version	Deps	Published
11.13.5	5 / 2	2024-11-20
11.13.4	5 / 2	2024-10-01
11.13.0	5 / 2	2024-07-20
11.12.0	5 / 2	2024-07-19
11.11.2	5 / 2	2023-06-16
11.11.0	5 / 2	2023-05-06
11.10.8	5 / 2	2023-04-28
11.10.6	5 / 2	2023-02-16
11.10.5	5 / 3	2022-10-27
11.10.0	5 / 3	2022-07-31
11.9.0	5 / 3	2022-04-06
11.7.1	5 / 2	2021-12-12
11.5.0	5 / 2	2021-10-17
11.1.3	5 / 2	2020-12-20
11.0.0	5 / 2	2020-11-12
10.0.27	3 / 1	2019-12-22
10.0.22	3 / 1	2019-10-23
10.0.14	3 / 1	2019-06-25
10.0.12	3 / 1	2019-06-09
10.0.9	3 / 1	2019-03-11
10.0.8	3 / 1	2019-03-11
10.0.7	3 / 1	2019-02-04
10.0.6	3 / 1	2019-01-06
10.0.5	3 / 1	2018-12-14
10.0.4	3 / 1	2018-12-05
10.0.3	3 / 1	2018-12-05
10.0.2	3 / 1	2018-12-03
10.0.0	3 / 1	2018-11-27
0.9.8	2 / 0	2018-09-20
0.9.7	2 / 0	2018-08-04
0.9.6	3 / 0	2018-07-29
0.9.5	3 / 0	2018-07-15
0.9.4	3 / 0	2018-07-14
0.9.3	3 / 0	2018-07-04
0.9.2	3 / 0	2018-06-21
0.9.1	3 / 0	2018-06-16
0.9.0	3 / 0	2018-05-19
0.8.0	3 / 0	2018-05-13
0.7.0	3 / 0	2018-04-28
0.6.2	3 / 0	2018-04-14
0.6.0	3 / 0	2018-04-07
0.5.0	3 / 0	2018-03-30
0.4.1	3 / 0	2018-03-04
0.2.3	3 / 0	2018-02-17
0.2.1	3 / 0	2018-02-14
0.2.0	3 / 0	2018-02-10
0.0.5	3 / 0	2018-02-10
0.0.4	3 / 0	2018-02-09

v11.13.4

2 findings

HIGH Publisher changed: mitchellhamilton → emotion-release-bot (on 2024-10-01) provenance

This version was published by a different npm account than previous versions on 2024-10-01. This could indicate a legitimate maintainer transition or an account compromise.