crass
A CSS utility library for JS
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:src/grammar.js | AI (source-diff): File is jison-generated parser output, documented in package.json grammar script; long lines are parser tables, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/grammar.js | AI (source-diff): dist/grammar.js is a jison-generated CSS parser (explicitly stated in file header). Long lines are normal jison output (parse tables). devDependency on jison confirms this is expected build output. | ai | |
| provenance | missing-githead | AI (provenance): Established package with long history; missing gitHead is a publish-environment change, not a security indicator for this well-known maintainer. | ai | |
| license | uncommon-license:BSD | AI (license): BSD is a well-known permissive license; the uncommon-license flag is a false positive for this package. | ai | |
| source-diff | obfuscated-file:coverage/lcov-report/prettify.js | AI (source-diff): This is google-code-prettify, a well-known minified syntax highlighter bundled as part of lcov HTML coverage reports. Not malicious — it's a packaging artifact from Istanbul/nyc coverage tooling. | ai | |
| dependencies | unvetted-dep:svgo | AI (dependencies): svgo is a well-known SVG optimizer; its use in a CSS minifier/utility library is contextually appropriate and not a supply-chain risk indicator. | ai | |
| source-diff | obfuscated-file:grammar.js | AI (source-diff): grammar.js is a jison-generated CSS parser (header explicitly states 'parser generated by jison 0.4.13'). Long lines are lookup tables, not obfuscation. Stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): crass is a mature, established package (4605 days old). Lack of Sigstore provenance is expected for packages predating that tooling and is not a meaningful risk signal here. | ai |
Versions (showing 37 of 37)
| Version | Deps | Published |
|---|---|---|
| 0.12.3 | 3 / 5 | |
| 0.12.2 | 3 / 5 | |
| 0.12.1 | 3 / 5 | |
| 0.12.0 | 3 / 5 | |
| 0.11.2 | 3 / 5 | |
| 0.11.1 | 3 / 5 | |
| 0.10.4 | 3 / 5 | |
| 0.10.3 | 3 / 5 | |
| 0.10.2 | 3 / 5 | |
| 0.10.1 | 3 / 5 | |
| 0.10.0 | 3 / 5 | |
| 0.9.3 | 3 / 5 | |
| 0.9.2 | 3 / 5 | |
| 0.9.1 | 1 / 5 | |
| 0.8.0 | 1 / 3 | |
| 0.7.12 | 1 / 3 | |
| 0.7.11 | 1 / 3 | |
| 0.7.10 | 1 / 3 | |
| 0.7.9 | 1 / 3 | |
| 0.7.8 | 1 / 3 | |
| 0.7.7 | 1 / 3 | |
| 0.7.6 | 1 / 3 | |
| 0.7.5 | 1 / 3 | |
| 0.7.4 | 1 / 3 | |
| 0.7.3 | 1 / 3 | |
| 0.7.2 | 1 / 3 | |
| 0.7.1 | 1 / 3 | |
| 0.7.0 | 1 / 3 | |
| 0.6.6 | 1 / 3 | |
| 0.6.5 | 1 / 2 | |
| 0.6.4 | 1 / 2 | |
| 0.6.3 | 1 / 2 | |
| 0.6.2 | 2 / 1 | |
| 0.6.1 | 1 / 1 | |
| 0.6.0 | 1 / 1 | |
| 0.5.1 | 1 / 0 | |
| 0.5.0 | 1 / 0 |
v0.12.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.7
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mattbasta.
v0.7.6
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mattbasta.
v0.7.5
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mattbasta.
v0.7.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mattbasta.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mattbasta.
v0.6.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mattbasta.
v0.6.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mattbasta.
v0.6.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mattbasta.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.