@vanilla-extract/css
Zero-runtime Stylesheets-in-TypeScript
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher changed to GitHub Actions with SLSA provenance attestation — this is a CI/CD migration to a more secure publish flow, not a compromise indicator. Stable for this package. | ai | |
| provenance | slsa-provenance | AI (provenance): Package has verified SLSA provenance via Sigstore; strongest supply chain integrity signal available. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): askoufis is a known vanilla-extract contributor; addition is consistent with legitimate project governance. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @vanilla-extract/css is a well-known scoped CSS-in-TS library; levenshtein match against 'cors' is a false positive driven by the scoped package name format. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): @vanilla-extract/css is a well-known scoped CSS-in-TS library; levenshtein match against 'qs' is a false positive driven by the scoped package name format. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 1.20.1 | 11 / 0 | |
| 1.20.0 | 12 / 1 | |
| 1.19.1 | 12 / 1 | |
| 1.19.0 | 12 / 1 | |
| 1.18.0 | 12 / 1 | |
| 1.17.5 | 12 / 1 | |
| 1.17.4 | 12 / 1 | |
| 1.17.3 | 12 / 1 | |
| 1.17.2 | 12 / 1 | |
| 1.16.0 | 12 / 1 |
v1.20.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-20. This could indicate a legitimate maintainer transition or an account compromise.
v1.19.1
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.
v1.19.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-15. This could indicate a legitimate maintainer transition or an account compromise.
v1.18.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-16. This could indicate a legitimate maintainer transition or an account compromise.
v1.17.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.