@parcel/css — Greenflagged

A CSS parser, transformer, and minifier written in Rust

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

devongovett

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	bundled-binaries	AI (npm-metadata): These are NAPI-RS prebuilt Rust native addons for each platform/arch — the standard distribution pattern for this package. Not backdoors.	ai	2026/04/24
typosquat	typosquat.levenshtein:cors	AI (typosquat): @parcel/css is a scoped package in the well-known @parcel namespace; levenshtein match to 'cors' is a false positive.	ai	2026/04/24
typosquat	typosquat.levenshtein:qs	AI (typosquat): @parcel/css is a scoped package in the well-known @parcel namespace; levenshtein match to 'qs' is a false positive.	ai	2026/04/24
phantom-deps	phantom-dep:@parcel/css-linux-x64-musl	AI (phantom-deps): Standard NAPI-RS pattern: platform-specific native binaries listed as optionalDependencies, loaded dynamically at runtime. Same org scope, legitimate pattern.	ai	2026/04/23
phantom-deps	phantom-dep:@parcel/css-win32-x64-msvc	AI (phantom-deps): Standard NAPI-RS pattern: platform-specific native binaries listed as optionalDependencies, loaded dynamically at runtime. Same org scope, legitimate pattern.	ai	2026/04/23
phantom-deps	phantom-dep:@parcel/css-linux-arm64-gnu	AI (phantom-deps): Standard NAPI-RS pattern: platform-specific native binaries listed as optionalDependencies, loaded dynamically at runtime. Same org scope, legitimate pattern.	ai	2026/04/23
phantom-deps	phantom-dep:@parcel/css-darwin-x64	AI (phantom-deps): Standard NAPI-RS pattern: platform-specific native binaries listed as optionalDependencies, loaded dynamically at runtime. Same org scope, legitimate pattern.	ai	2026/04/23
phantom-deps	phantom-dep:@parcel/css-linux-arm-gnueabihf	AI (phantom-deps): Standard NAPI-RS pattern: platform-specific native binaries listed as optionalDependencies, loaded dynamically at runtime. Same org scope, legitimate pattern.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require constructs platform-specific NAPI-RS binary package names. Input is derived from os/arch/libc detection, not user input. Stable false positive for this package.	ai	2026/04/23
dependencies	unvetted-dep:detect-libc	AI (dependencies): detect-libc is a well-known utility used to distinguish GNU vs musl Linux for native binary selection. Standard usage in NAPI-RS packages.	ai	2026/04/23
phantom-deps	phantom-dep:@parcel/css-linux-arm64-musl	AI (phantom-deps): Standard NAPI-RS pattern: platform-specific native binaries listed as optionalDependencies, loaded dynamically at runtime. Same org scope, legitimate pattern.	ai	2026/04/23
phantom-deps	phantom-dep:@parcel/css-darwin-arm64	AI (phantom-deps): Standard NAPI-RS pattern: platform-specific native binaries listed as optionalDependencies, loaded dynamically at runtime. Same org scope, legitimate pattern.	ai	2026/04/23
phantom-deps	phantom-dep:@parcel/css-linux-x64-gnu	AI (phantom-deps): Standard NAPI-RS pattern: platform-specific native binaries listed as optionalDependencies, loaded dynamically at runtime. Same org scope, legitimate pattern.	ai	2026/04/23