glamorous
React component styling solved
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/glamorous.umd.min.tiny.js | AI (source-diff): This is a standard minified UMD distribution bundle for glamorous. The code is consistent with the library's documented functionality and contains no malicious patterns. | ai | |
| source-diff | obfuscated-file:preact/dist/glamorous.umd.min.tiny.js | AI (source-diff): This is a standard minified UMD distribution bundle for the glamorous preact variant. The code is consistent with the library's documented functionality and contains no malicious patterns. | ai | |
| phantom-deps | phantom-dep:fast-memoize | AI (phantom-deps): Build-time dependency referenced in config, not directly imported in source. Consistent with glamorous's bundling approach. | ai | |
| phantom-deps | phantom-dep:svg-tag-names | AI (phantom-deps): Build-time dependency referenced in config, not directly imported in source. Consistent with glamorous's bundling approach. | ai | |
| phantom-deps | phantom-dep:brcast | AI (phantom-deps): glamorous uses these deps in build/config files (e.g. rollup), not direct imports. Pattern is stable for this bundled package. | ai | |
| phantom-deps | phantom-dep:is-plain-object | AI (phantom-deps): Build-time dependency referenced in config, not directly imported in source. Consistent with glamorous's bundling approach. | ai | |
| phantom-deps | phantom-dep:react-html-attributes | AI (phantom-deps): Build-time dependency referenced in config, not directly imported in source. Consistent with glamorous's bundling approach. | ai | |
| phantom-deps | phantom-dep:html-tag-names | AI (phantom-deps): Build-time dependency referenced in config, not directly imported in source. Consistent with glamorous's bundling approach. | ai | |
| phantom-deps | phantom-dep:is-function | AI (phantom-deps): Build-time dependency referenced in config, not directly imported in source. Consistent with glamorous's bundling approach. | ai |
Versions (showing 90 of 90)
| Version | Deps | Published |
|---|---|---|
| 5.0.0 | 8 / 22 | |
| 4.13.1 | 8 / 22 | |
| 4.13.0 | 8 / 22 | |
| 4.12.5 | 8 / 22 | |
| 4.12.4 | 8 / 22 | |
| 4.12.3 | 8 / 22 | |
| 4.12.2 | 7 / 22 | |
| 4.12.1 | 7 / 21 | |
| 4.12.0 | 7 / 21 | |
| 4.11.6 | 7 / 21 | |
| 4.11.5 | 7 / 21 | |
| 4.11.4 | 7 / 21 | |
| 4.11.3 | 7 / 21 | |
| 4.11.2 | 7 / 20 | |
| 4.11.1 | 7 / 20 | |
| 4.11.0 | 7 / 20 | |
| 4.10.0 | 7 / 20 | |
| 4.9.7 | 7 / 20 | |
| 4.9.6 | 7 / 20 | |
| 4.9.5 | 7 / 19 | |
| 4.9.4 | 7 / 19 | |
| 4.9.3 | 7 / 19 | |
| 4.9.2 | 7 / 19 | |
| 4.9.1 | 7 / 19 | |
| 4.9.0 | 7 / 19 | |
| 4.8.0 | 7 / 44 | |
| 4.7.0 | 7 / 44 | |
| 4.6.0 | 7 / 44 | |
| 4.5.0 | 7 / 44 | |
| 4.4.1 | 7 / 44 | |
| 4.4.0 | 7 / 44 | |
| 4.3.1 | 7 / 44 | |
| 4.3.0 | 7 / 44 | |
| 4.2.1 | 7 / 44 | |
| 4.2.0 | 7 / 44 | |
| 4.1.2 | 7 / 44 | |
| 4.1.1 | 7 / 42 | |
| 4.1.0 | 7 / 41 | |
| 4.0.0 | 5 / 41 | |
| 3.25.0 | 5 / 42 | |
| 3.24.0 | 5 / 42 | |
| 3.23.5 | 5 / 43 | |
| 3.23.4 | 5 / 43 | |
| 3.23.3 | 5 / 43 | |
| 3.23.2 | 5 / 43 | |
| 3.23.1 | 5 / 43 | |
| 3.23.0 | 5 / 43 | |
| 3.22.1 | 5 / 43 | |
| 3.22.0 | 6 / 42 | |
| 3.21.0 | 6 / 42 | |
| 3.20.0 | 6 / 42 | |
| 3.19.1 | 6 / 44 | |
| 3.19.0 | 6 / 44 | |
| 3.18.1 | 6 / 44 | |
| 3.18.0 | 6 / 44 | |
| 3.17.0 | 5 / 44 | |
| 3.16.0 | 5 / 44 | |
| 3.15.1 | 5 / 44 | |
| 3.15.0 | 5 / 43 | |
| 3.14.0 | 5 / 43 | |
| 3.13.4 | 5 / 43 | |
| 3.13.3 | 5 / 43 | |
| 3.13.2 | 5 / 43 | |
| 3.13.1 | 5 / 43 | |
| 3.13.0 | 5 / 43 | |
| 3.12.1 | 5 / 43 | |
| 3.12.0 | 5 / 43 | |
| 3.11.2 | 5 / 43 | |
| 3.11.1 | 5 / 43 | |
| 3.11.0 | 5 / 43 | |
| 3.10.0 | 5 / 43 | |
| 3.9.2 | 5 / 43 | |
| 3.9.1 | 5 / 43 | |
| 3.9.0 | 5 / 43 | |
| 3.8.0 | 5 / 43 | |
| 3.7.1 | 5 / 42 | |
| 3.7.0 | 5 / 42 | |
| 3.6.1 | 5 / 42 | |
| 3.6.0 | 5 / 42 | |
| 3.5.0 | 5 / 41 | |
| 3.4.0 | 5 / 37 | |
| 3.3.0 | 5 / 37 | |
| 3.2.0 | 3 / 37 | |
| 3.1.0 | 3 / 37 | |
| 3.0.1 | 2 / 36 | |
| 3.0.0 | 2 / 35 | |
| 2.0.1 | 2 / 35 | |
| 2.0.0 | 2 / 34 | |
| 1.0.1 | 0 / 34 | |
| 1.0.0 | 0 / 34 |
v5.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.13.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.12.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.12.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.12.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.12.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.9.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.9.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.9.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.9.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.9.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.9.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.9.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.9.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.