@emotion/serialize — Greenflagged

serialization utils for emotion

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

emmatowntkh44emotion-release-botandarist

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): emotion-utils is a core package within the emotion ecosystem; its addition as a dependency is expected and benign for @emotion/serialize.	ai	2026/04/22
provenance	missing-githead	AI (provenance): Established emotion-js package with clean history; missing gitHead reflects a publish environment change, not a security concern, given no other suspicious signals.	ai	2026/04/22
dependencies	unvetted-dep:@emotion/memoize	AI (dependencies): @emotion/memoize is a first-party Emotion org package published by the same trusted emotion-release-bot publisher; not a real risk for this package.	ai	2026/04/22
dependencies	unvetted-dep:@emotion/unitless	AI (dependencies): @emotion/unitless is a first-party Emotion org package published by the same trusted emotion-release-bot publisher; not a real risk for this package.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): Emotion project transitioned to emotion-release-bot with known maintainers (andarist, emmatown). Bot publisher has 162 approved / 0 rejected packages. Legitimate, documented transition.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers (emmatown, emotion-release-bot, andarist) are known, trusted Emotion ecosystem contributors. This is a legitimate project governance change.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): mitchellhamilton stepping back is part of the documented Emotion project maintainer transition. No compromise indicators present.	ai	2026/04/22
provenance	no-provenance	AI (provenance): emotion-js packages are published via a release bot from the official monorepo; lack of Sigstore provenance is consistent across the ecosystem and not a risk signal here.	ai	2026/04/21

Versions (showing 56 of 56)

Version	Deps	Published
1.3.3	5 / 2	2024-11-20
1.3.2	5 / 2	2024-09-21
1.3.1	5 / 2	2024-08-21
1.3.0	5 / 2	2024-07-20
1.2.0	5 / 2	2024-07-19
1.1.4	5 / 2	2024-03-29
1.1.3	5 / 2	2023-12-23
1.1.2	5 / 2	2023-05-06
1.1.1	5 / 2	2022-10-27
1.1.0	5 / 2	2022-07-31
1.0.4	5 / 2	2022-06-12
1.0.3	5 / 2	2022-04-06
1.0.2	5 / 1	2021-04-08
1.0.1	5 / 1	2021-03-07
1.0.0	5 / 1	2020-11-12
0.11.16	5 / 1	2020-03-02
0.11.15	5 / 1	2019-12-22
0.11.14	5 / 1	2019-10-29
0.11.13	5 / 1	2019-10-24
0.11.12	5 / 1	2019-10-23
0.11.11	5 / 1	2019-09-17
0.11.10	5 / 1	2019-08-31
0.11.9	5 / 1	2019-08-02
0.11.8	5 / 1	2019-06-25
0.11.7	5 / 1	2019-06-09
0.11.6	5 / 1	2019-03-11
0.11.5	5 / 1	2019-03-11
0.11.4	5 / 1	2019-02-04
0.11.3	5 / 1	2018-12-14
0.11.2	5 / 1	2018-12-05
0.11.1	5 / 1	2018-12-05
0.11.0	5 / 1	2018-11-20
0.10.6	5 / 1	2018-11-13
0.10.5	5 / 1	2018-11-12
0.10.4	5 / 1	2018-11-12
0.10.3	5 / 1	2018-11-05
0.10.2	5 / 1	2018-11-02
0.10.1	5 / 1	2018-10-27
0.10.0	4 / 1	2018-10-13
0.9.1	4 / 0	2018-09-20
0.9.0	4 / 0	2018-08-04
0.8.6	4 / 0	2018-07-29
0.8.5	4 / 0	2018-07-15
0.8.4	4 / 0	2018-07-14
0.8.3	4 / 0	2018-07-04
0.8.2	4 / 0	2018-06-21
0.8.1	3 / 0	2018-06-16
0.8.0	3 / 0	2018-05-19
0.7.0	3 / 0	2018-04-28
0.6.2	3 / 0	2018-04-14
0.5.0	1 / 0	2018-03-30
0.4.1	1 / 0	2018-03-04
0.2.1	1 / 0	2018-02-14
0.2.0	1 / 0	2018-02-10
0.0.5	0 / 0	2018-02-10
0.0.4	0 / 0	2018-02-09

v1.3.2

2 findings

HIGH Publisher changed: mitchellhamilton → emotion-release-bot (on 2024-09-21) provenance

This version was published by a different npm account than previous versions on 2024-09-21. This could indicate a legitimate maintainer transition or an account compromise.