@popmenu/web-icons
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): New publisher has 9 approved packages; consistent with internal team handoff at Popmenu org. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): chrisohpopmenu is an established @popmenu org publisher with 8 approved packages; internal team transition. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal icon library; missing metadata signals are stable false positives across all versions of this package. | ai |
Versions (showing 44 of 44)
| Version | Deps | Published |
|---|---|---|
| 0.159.0 | 0 / 0 | |
| 0.158.0 | 0 / 0 | |
| 0.157.0 | 0 / 0 | |
| 0.156.0 | 0 / 0 | |
| 0.155.0 | 0 / 0 | |
| 0.154.0 | 0 / 0 | |
| 0.153.0 | 0 / 0 | |
| 0.152.0 | 0 / 0 | |
| 0.151.1 | 0 / 0 | |
| 0.151.0 | 0 / 0 | |
| 0.150.0 | 0 / 0 | |
| 0.149.0 | 0 / 0 | |
| 0.148.0 | 0 / 0 | |
| 0.147.0 | 0 / 0 | |
| 0.145.0 | 0 / 0 | |
| 0.144.2 | 0 / 0 | |
| 0.144.1 | 0 / 0 | |
| 0.144.0 | 0 / 0 | |
| 0.143.0 | 0 / 0 | |
| 0.142.0 | 0 / 0 | |
| 0.141.0 | 0 / 0 | |
| 0.140.1 | 0 / 0 | |
| 0.140.0 | 0 / 0 | |
| 0.139.0 | 0 / 0 | |
| 0.138.0 | 0 / 0 | |
| 0.137.0 | 0 / 0 | |
| 0.136.0 | 0 / 0 | |
| 0.135.0 | 0 / 0 | |
| 0.134.0 | 0 / 0 | |
| 0.133.0 | 0 / 0 | |
| 0.132.0 | 0 / 0 | |
| 0.131.0 | 0 / 0 | |
| 0.130.0 | 0 / 0 | |
| 0.129.0 | 0 / 0 | |
| 0.128.0 | 0 / 0 | |
| 0.127.0 | 0 / 0 | |
| 0.126.3 | 0 / 0 | |
| 0.126.2 | 0 / 0 | |
| 0.126.1 | 0 / 0 | |
| 0.126.0 | 0 / 0 | |
| 0.125.0 | 0 / 0 | |
| 0.124.0 | 0 / 0 | |
| 0.123.0 | 0 / 0 | |
| 0.122.0 | 0 / 0 |
v0.159.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (lesley-r) than the most recent previously approved version (nguyntyler) on 2026-06-11, but lesley-r is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.158.0
2 findingsThis version was published by a different npm account than previous versions on 2026-05-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.157.0
2 findingsThis version was published by a different npm account than previous versions on 2026-05-15. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.156.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.155.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.154.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.153.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.152.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.151.1
2 findingsThis version was published by a different npm account than previous versions on 2026-04-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.151.0
2 findingsThis version was published by a different npm account than previous versions on 2026-04-03. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.150.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.149.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-10. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.148.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-28. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.147.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.145.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.144.2
2 findingsThis version was published by a different npm account than previous versions on 2025-12-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.144.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.144.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.143.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.142.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.141.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.140.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.140.0
2 findingsThis version was published by a different npm account than previous versions on 2025-10-27. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.139.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.138.0
2 findingsThis version was published by a different npm account than previous versions on 2025-10-10. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.137.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.136.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-23. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.135.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-19. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.134.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.133.0
2 findingsThis version was published by a different npm account than previous versions on 2025-08-01. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.132.0
2 findingsThis version was published by a different npm account than previous versions on 2025-07-30. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.131.0
2 findingsThis version was published by a different npm account than previous versions on 2025-07-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.130.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.129.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.128.0
2 findingsThis version was published by a different npm account than previous versions on 2025-06-27. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.127.0
2 findingsThis version was published by a different npm account than previous versions on 2025-06-16. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.126.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.126.2
2 findingsThis version was published by a different npm account than previous versions on 2025-06-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.126.1
2 findingsThis version was published by a different npm account than previous versions on 2025-06-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.126.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.125.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.124.0
2 findingsThis version was published by a different npm account than previous versions on 2025-05-19. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.123.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.122.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.