@mui/system
MUI System is a set of CSS utilities to help you build custom designs more efficiently. It makes it possible to rapidly lay out custom designs.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): MUI transitioned to GitHub Actions CI/CD publishing with SLSA provenance attestation. This is a supply chain improvement, not a compromise. Generalizes to future versions. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): janpotoms is a known MUI contributor; addition is consistent with org-level maintainer roster management alongside CI/CD transition. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of mbrookes and mui-release-bot is consistent with MUI's shift to GitHub Actions publishing; not indicative of a takeover. | ai | |
| dependencies | unvetted-dep:@mui/styled-engine | AI (dependencies): Internal MUI monorepo dependency; part of the same trusted ecosystem and publisher. | ai | |
| dependencies | unvetted-dep:@mui/private-theming | AI (dependencies): Internal MUI monorepo dependency; part of the same trusted ecosystem and publisher. | ai | |
| dependencies | unvetted-dep:@mui/utils | AI (dependencies): Internal MUI monorepo dependency; part of the same trusted ecosystem and publisher. | ai |
Versions (showing 51 of 180)
| Version | Deps | Published |
|---|---|---|
| 9.0.1 | 8 / 0 | |
| 9.0.0 | 8 / 0 | |
| 7.3.11 | 8 / 0 | |
| 7.3.10 | 8 / 0 | |
| 7.3.9 | 8 / 0 | |
| 7.3.8 | 8 / 0 | |
| 7.3.7 | 8 / 0 | |
| 7.3.6 | 8 / 0 | |
| 7.3.5 | 8 / 0 | |
| 7.3.3 | 8 / 0 | |
| 7.3.2 | 8 / 0 | |
| 7.3.1 | 8 / 0 | |
| 7.3.0 | 8 / 0 | |
| 7.2.0 | 8 / 0 | |
| 7.1.1 | 8 / 0 | |
| 7.1.0 | 8 / 0 | |
| 7.0.2 | 8 / 0 | |
| 7.0.1 | 8 / 0 | |
| 7.0.0 | 8 / 0 | |
| 6.5.0 | 8 / 0 | |
| 6.4.12 | 8 / 0 | |
| 6.4.9 | 8 / 0 | |
| 6.4.8 | 8 / 0 | |
| 6.4.7 | 8 / 0 | |
| 6.4.6 | 8 / 0 | |
| 6.4.3 | 8 / 0 | |
| 6.4.2 | 8 / 0 | |
| 6.4.1 | 8 / 0 | |
| 6.4.0 | 8 / 0 | |
| 6.3.1 | 8 / 0 | |
| 6.3.0 | 8 / 0 | |
| 6.2.1 | 8 / 0 | |
| 6.2.0 | 8 / 0 | |
| 6.1.10 | 8 / 0 | |
| 6.1.9 | 8 / 0 | |
| 6.1.8 | 8 / 0 | |
| 6.1.7 | 8 / 0 | |
| 6.1.6 | 8 / 0 | |
| 6.1.5 | 8 / 0 | |
| 6.1.4 | 8 / 0 | |
| 6.1.3 | 8 / 0 | |
| 6.1.2 | 8 / 0 | |
| 6.1.1 | 8 / 0 | |
| 6.1.0 | 8 / 0 | |
| 6.0.2 | 8 / 0 | |
| 6.0.1 | 8 / 0 | |
| 6.0.0 | 8 / 0 | |
| 5.18.0 | 8 / 0 | |
| 5.17.1 | 8 / 0 | |
| 5.16.14 | 8 / 0 | |
| 5.16.13 | 8 / 0 |
v9.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.3.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.3.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.3.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.3.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.3.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.3.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.3.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.3.3
2 findingsThis version was published by a different npm account than previous versions on 2025-10-01. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mj12albert.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-04-09. This could indicate a legitimate maintainer transition or an account compromise.
v7.0.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-03-28. This could indicate a legitimate maintainer transition or an account compromise.
v7.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-03-26. This could indicate a legitimate maintainer transition or an account compromise.
v6.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.9
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-03-25. This could indicate a legitimate maintainer transition or an account compromise.
v6.4.8
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-03-17. This could indicate a legitimate maintainer transition or an account compromise.
v6.4.7
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-03-05. This could indicate a legitimate maintainer transition or an account compromise.
v6.4.6
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-02-26. This could indicate a legitimate maintainer transition or an account compromise.
v6.4.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-02-04. This could indicate a legitimate maintainer transition or an account compromise.
v6.4.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-01-29. This could indicate a legitimate maintainer transition or an account compromise.
v6.4.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-01-21. This could indicate a legitimate maintainer transition or an account compromise.
v6.4.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-01-14. This could indicate a legitimate maintainer transition or an account compromise.
v6.3.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-01-03. This could indicate a legitimate maintainer transition or an account compromise.
v6.3.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-12-23. This could indicate a legitimate maintainer transition or an account compromise.
v6.2.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-12-17. This could indicate a legitimate maintainer transition or an account compromise.
v6.2.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-12-11. This could indicate a legitimate maintainer transition or an account compromise.
v6.1.10
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-12-04. This could indicate a legitimate maintainer transition or an account compromise.
v6.1.9
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-11-27. This could indicate a legitimate maintainer transition or an account compromise.
v6.1.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.7
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-11-13. This could indicate a legitimate maintainer transition or an account compromise.
v6.1.6
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-10-30. This could indicate a legitimate maintainer transition or an account compromise.
v6.1.5
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-10-22. This could indicate a legitimate maintainer transition or an account compromise.
v6.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-10-09. This could indicate a legitimate maintainer transition or an account compromise.
v6.1.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-10-02. This could indicate a legitimate maintainer transition or an account compromise.
v6.1.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-09-19. This could indicate a legitimate maintainer transition or an account compromise.
v6.1.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-09-11. This could indicate a legitimate maintainer transition or an account compromise.
v6.0.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-09-03. This could indicate a legitimate maintainer transition or an account compromise.
v6.0.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-08-29. This could indicate a legitimate maintainer transition or an account compromise.
v6.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-08-27. This could indicate a legitimate maintainer transition or an account compromise.
v5.18.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.17.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-03-18. This could indicate a legitimate maintainer transition or an account compromise.
v5.16.14
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-01-06. This could indicate a legitimate maintainer transition or an account compromise.
v5.16.13
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-12-25. This could indicate a legitimate maintainer transition or an account compromise.