@emotion/styled
styled API for emotion
5
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
tkh44emotion-release-botandaristemmatown
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Emotion project historically has long release gaps; the same automation bot (emotion-release-bot) published this version with a clean 27/0 track record. Dormancy is consistent with project history. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large file count reflects multiple environment-specific build outputs (edge-light, browser, worker, workerd) added to the exports map, consistent with the package.json exports structure. Not injected code. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): mitchellhamilton is the original emotion creator who stepped back; emmatown is a known contributor. This is a documented legitimate transition in the emotion project, not a takeover. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): All new deps are first-party @emotion/* packages or @babel/runtime; this is a v10→v11 major version restructuring within the official emotion-js monorepo, not a suspicious third-party addition. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): andarist (Artem Zakharchenko) is a well-known legitimate maintainer of the emotion-js project; this addition is a routine contributor formalization, not a suspicious takeover. | ai | |
| dependencies | unvetted-dep:@emotion/styled-base | AI (dependencies): @emotion/styled-base is a sibling package in the Emotion monorepo, published by the same trusted emotion-release-bot. This dependency is expected and stable across all versions. | ai | |
| dependencies | unvetted-peer-dep:@emotion/core | AI (dependencies): @emotion/core is a sibling Emotion monorepo package from the same trusted publisher. Peer dep is expected and stable across all versions. | ai | |
| dependencies | unvetted-dep:@emotion/is-prop-valid | AI (dependencies): @emotion/is-prop-valid is a first-party emotion scoped package and a documented core dependency of @emotion/styled; stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): emotion-release-bot has a clean track record; lack of Sigstore provenance is common and not a risk signal for this established publisher. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 11.14.1 | 6 / 4 | |
| 11.13.0 | 6 / 4 | |
| 11.10.4 | 6 / 5 | |
| 11.9.3 | 5 / 5 | |
| 10.0.27 | 2 / 3 |
v11.13.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.10.4
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.