color
Color conversion and manipulation with CSS string support
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:color-string | AI (dependencies): color-string is a long-standing companion dependency of the color package; its use here is expected and stable across versions. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): Publisher qix is the GitHub repo owner (Qix-/color) and listed author; the 2018 transition was a legitimate handoff, not a hostile takeover. Stable for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of harth is part of the same legitimate 2018 maintainer transition to qix, who is the repo owner and listed author. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size reduction reflects a legitimate refactor; no install scripts, no obfuscation, clean files list. Package behavior is consistent with a well-known color library. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change harth→moox occurred in 2015; moox has 116 approved/0 rejected packages and a 4000+ day track record. Legitimate historical transition, not a compromise. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): moox was added as maintainer in 2015 and has a strong, clean publishing history. This is a stable, legitimate maintainer addition. | ai | |
| provenance | no-provenance | AI (provenance): Established publisher with long track record; lack of provenance attestation is not a meaningful risk signal for this package. | ai |
Versions (showing 51 of 51)
| Version | Deps | Published |
|---|---|---|
| 5.0.3 | 2 / 3 | |
| 5.0.2 | 2 / 3 | |
| 5.0.0 | 2 / 3 | |
| 4.2.3 | 2 / 2 | |
| 4.2.2 | 2 / 2 | |
| 4.2.1 | 2 / 2 | |
| 4.2.0 | 2 / 2 | |
| 4.1.0 | 2 / 2 | |
| 4.0.2 | 2 / 2 | |
| 4.0.1 | 2 / 2 | |
| 4.0.0 | 2 / 2 | |
| 3.2.1 | 2 / 2 | |
| 3.2.0 | 2 / 2 | |
| 3.1.4 | 2 / 2 | |
| 3.1.3 | 2 / 2 | |
| 3.1.2 | 2 / 2 | |
| 3.1.1 | 2 / 2 | |
| 3.1.0 | 2 / 2 | |
| 3.0.0 | 2 / 2 | |
| 2.0.1 | 2 / 2 | |
| 2.0.0 | 2 / 2 | |
| 1.0.3 | 2 / 2 | |
| 1.0.2 | 2 / 2 | |
| 1.0.1 | 2 / 2 | |
| 1.0.0 | 3 / 2 | |
| 0.11.4 | 3 / 2 | |
| 0.11.3 | 3 / 2 | |
| 0.11.2 | 3 / 2 | |
| 0.11.1 | 2 / 2 | |
| 0.11.0 | 2 / 1 | |
| 0.10.1 | 2 / 1 | |
| 0.10.0 | 2 / 1 | |
| 0.9.0 | 2 / 1 | |
| 0.8.0 | 2 / 0 | |
| 0.7.3 | 2 / 4 | |
| 0.7.2 | 2 / 4 | |
| 0.7.1 | 2 / 4 | |
| 0.7.0 | 2 / 4 | |
| 0.6.0 | 2 / 4 | |
| 0.5.0 | 2 / 4 | |
| 0.4.4 | 2 / 2 | |
| 0.4.3 | 2 / 2 | |
| 0.4.2 | 2 / 2 | |
| 0.4.1 | 2 / 2 | |
| 0.4.0 | 2 / 2 | |
| 0.3.0 | 2 / 2 | |
| 0.2.0 | 2 / 2 | |
| 0.1.3 | 2 / 2 | |
| 0.1.2 | 2 / 2 | |
| 0.1.1 | 2 / 2 | |
| 0.1.0 | 2 / 2 |
v3.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.1
3 findingsAll previous maintainers (harth) were replaced by new maintainers (qix). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2019-04-23. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
3 findingsAll previous maintainers (harth) were replaced by new maintainers (moox, qix). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2018-10-09. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
2 findingsThis version was published by a different npm account than previous versions on 2018-01-25. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
2 findingsThis version was published by a different npm account than previous versions on 2017-11-09. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
2 findingsThis version was published by a different npm account than previous versions on 2017-06-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.3
2 findingsThis version was published by a different npm account than previous versions on 2016-12-15. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
2 findingsThis version was published by a different npm account than previous versions on 2016-12-06. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
2 findingsThis version was published by a different npm account than previous versions on 2016-12-03. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
2 findingsThis version was published by a different npm account than previous versions on 2016-12-03. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.4
2 findingsThis version was published by a different npm account than previous versions on 2016-11-01. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.3
2 findingsThis version was published by a different npm account than previous versions on 2016-06-24. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.2
2 findingsThis version was published by a different npm account than previous versions on 2016-06-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.1
2 findingsThis version was published by a different npm account than previous versions on 2016-01-03. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
2 findingsThis version was published by a different npm account than previous versions on 2016-01-02. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.1
2 findingsThis version was published by a different npm account than previous versions on 2015-07-02. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
2 findingsThis version was published by a different npm account than previous versions on 2015-07-02. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
2 findingsThis version was published by a different npm account than previous versions on 2015-06-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
2 findingsThis version was published by a different npm account than previous versions on 2015-03-03. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.