jss
A lib for generating Style Sheets with JavaScript.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Size increase explained by addition of webpack-bundled dist files (jss.js, jss.min.js) alongside Babel-transpiled lib/; consistent with the build scripts in package.json. | ai | |
| dependencies | unvetted-dep:murmurhash-js | AI (dependencies): murmurhash-js is a legitimate, well-known hashing library appropriate for a CSS-in-JS tool generating class name hashes. No malicious signals. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): murmurhash-js is a benign, established hashing utility; its addition is consistent with jss's use case and poses no supply-chain risk. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 37 new source files reflect legitimate library expansion across a multi-minor-version bump (9.5.0→9.8.3); no obfuscation or suspicious content. | ai | |
| provenance | no-provenance | AI (provenance): JSS is a long-established package (4193 days, 186 versions) published by a trusted maintainer; lack of Sigstore provenance is common and not a risk indicator here. | ai | |
| dependencies | unvetted-dep:tiny-warning | AI (dependencies): tiny-warning is a well-known, minimal utility package that has been a stable JSS dependency for many versions; no security concerns. | ai | |
| dependencies | unvetted-dep:is-in-browser | AI (dependencies): is-in-browser is a well-known, minimal utility package that has been a stable JSS dependency for many versions; no security concerns. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): JSS postinstall only prints a donation message via console.log with ANSI codes — no network calls or code execution risk. Stable benign pattern for this package. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): jss is the canonical name for this CSS-in-JS library, not a typo of qs. False positive. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): jss is the canonical name for this CSS-in-JS library, not a typo of joi. False positive. | ai | |
| typosquat | typosquat.levenshtein:jest | AI (typosquat): jss is the canonical name for this CSS-in-JS library, not a typo of jest. False positive. | ai |
Versions (showing 100 of 146)
| Version | Deps | Published |
|---|---|---|
| 10.10.0 | 4 / 0 | |
| 10.9.2 | 4 / 0 | |
| 10.9.1 | 4 / 0 | |
| 10.9.0 | 4 / 0 | |
| 10.8.2 | 4 / 0 | |
| 10.8.1 | 4 / 0 | |
| 10.8.0 | 4 / 0 | |
| 10.7.1 | 4 / 0 | |
| 10.7.0 | 4 / 0 | |
| 10.6.0 | 5 / 0 | |
| 10.5.1 | 5 / 0 | |
| 10.5.0 | 5 / 0 | |
| 10.4.0 | 4 / 0 | |
| 10.3.0 | 4 / 0 | |
| 10.2.0 | 4 / 0 | |
| 10.1.1 | 4 / 0 | |
| 10.1.0 | 4 / 0 | |
| 10.0.4 | 4 / 0 | |
| 10.0.3 | 4 / 0 | |
| 10.0.2 | 4 / 0 | |
| 10.0.1 | 4 / 0 | |
| 10.0.0 | 4 / 0 | |
| 9.8.6 | 3 / 68 | |
| 9.8.1 | 3 / 60 | |
| 9.8.0 | 3 / 60 | |
| 9.5.0 | 3 / 58 | |
| 9.4.0 | 3 / 58 | |
| 9.3.3 | 3 / 58 | |
| 9.3.2 | 3 / 58 | |
| 9.3.1 | 3 / 58 | |
| 9.3.0 | 3 / 58 | |
| 9.2.0 | 3 / 57 | |
| 9.1.0 | 3 / 57 | |
| 9.0.0 | 3 / 57 | |
| 8.1.0 | 2 / 56 | |
| 8.0.0 | 2 / 55 | |
| 7.1.7 | 2 / 55 | |
| 7.1.6 | 2 / 55 | |
| 7.1.5 | 2 / 54 | |
| 7.1.4 | 2 / 54 | |
| 7.1.3 | 2 / 54 | |
| 7.1.2 | 2 / 54 | |
| 7.1.1 | 2 / 54 | |
| 7.1.0 | 2 / 54 | |
| 7.0.3 | 2 / 54 | |
| 7.0.2 | 2 / 54 | |
| 7.0.1 | 2 / 54 | |
| 7.0.0 | 2 / 54 | |
| 6.5.0 | 2 / 54 | |
| 6.4.0 | 2 / 54 | |
| 6.3.0 | 3 / 53 | |
| 6.2.0 | 4 / 54 | |
| 6.1.1 | 4 / 54 | |
| 6.1.0 | 4 / 54 | |
| 6.0.2 | 4 / 53 | |
| 6.0.1 | 3 / 52 | |
| 6.0.0 | 3 / 52 | |
| 5.5.6 | 3 / 47 | |
| 5.5.5 | 3 / 37 | |
| 5.5.4 | 3 / 37 | |
| 5.5.3 | 2 / 36 | |
| 5.5.2 | 2 / 35 | |
| 5.5.1 | 2 / 33 | |
| 5.5.0 | 2 / 33 | |
| 5.4.0 | 1 / 32 | |
| 5.3.0 | 1 / 32 | |
| 5.2.0 | 1 / 32 | |
| 5.1.0 | 1 / 32 | |
| 5.0.0 | 1 / 32 | |
| 4.0.3 | 1 / 32 | |
| 4.0.2 | 1 / 32 | |
| 4.0.1 | 1 / 32 | |
| 4.0.0 | 1 / 32 | |
| 3.11.1 | 0 / 33 | |
| 3.11.0 | 0 / 33 | |
| 3.10.0 | 0 / 33 | |
| 3.9.1 | 0 / 29 | |
| 3.9.0 | 0 / 25 | |
| 3.8.0 | 0 / 25 | |
| 3.7.0 | 0 / 23 | |
| 3.6.3 | 0 / 23 | |
| 3.6.2 | 0 / 23 | |
| 3.6.1 | 0 / 23 | |
| 3.6.0 | 0 / 23 | |
| 3.5.0 | 0 / 23 | |
| 3.4.0 | 0 / 23 | |
| 3.3.0 | 0 / 21 | |
| 3.2.0 | 0 / 21 | |
| 3.1.1 | 0 / 21 | |
| 3.1.0 | 0 / 21 | |
| 3.0.0 | 0 / 10 | |
| 2.3.5 | 0 / 10 | |
| 2.3.4 | 0 / 10 | |
| 2.3.3 | 0 / 10 | |
| 2.3.2 | 0 / 11 | |
| 2.3.1 | 0 / 11 | |
| 2.3.0 | 0 / 11 | |
| 2.2.1 | 0 / 4 | |
| 2.2.0 | 0 / 4 | |
| 2.1.6 | 0 / 4 |
v10.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.9.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.9.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.8.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.8.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.7.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.8.6
2 findingsScript: node -e "console.log('\u001b[35m\u001b[1mLove JSS? You can now support us on open collective:\u001b[22m\u001b[39m\n > \u001b[34mhttps://opencollective.com/jss/donate\u001b[0m')"
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.8.1
2 findingsScript: node -e "console.log('\u001b[35m\u001b[1mLove JSS? You can now support us on open collective:\u001b[22m\u001b[39m\n > \u001b[34mhttps://opencollective.com/jss/donate\u001b[0m')"
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.8.0
2 findingsScript: node -e "console.log('\u001b[35m\u001b[1mLove JSS? You can now support us on open collective:\u001b[22m\u001b[39m\n > \u001b[34mhttps://opencollective.com/jss/donate\u001b[0m')"
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.3.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.3.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.3.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.