lightningcss — Greenflagged

A CSS parser, transformer, and minifier written in Rust

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

devongovett

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): lightningcss routinely adds new platform-specific optional binary deps (e.g. freebsd-x64) as it expands platform support. This is the established pattern for NAPI-RS packages and not a supply-chain risk.	ai	2026/04/24
npm-metadata	suspicious-initial-version	AI (npm-metadata): 0.0.0 is a deliberate namespace reservation placeholder by the legitimate lightningcss author (devongovett). Stable false positive for this package.	ai	2026/04/24
bogus-package	bogus-package	AI (bogus-package): Intentional placeholder package by the legitimate lightningcss maintainer. No repo/keywords/deps/payload are expected for a namespace reservation. Stable false positive.	ai	2026/04/24
phantom-deps	phantom-dep:lightningcss-freebsd-x64	AI (phantom-deps): Platform-specific optional binary dependency; dynamic require() at runtime is the documented pattern for native bindings.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Established package with strong ecosystem trust; provenance attestation is a best-practice enhancement, not a security blocker.	ai	2026/04/23
phantom-deps	phantom-dep:lightningcss-linux-arm64-gnu	AI (phantom-deps): Platform-specific optional binary dependency; standard pattern for native bindings.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require loads platform-specific binaries by name; standard native binding loader pattern, not arbitrary code execution.	ai	2026/04/23
phantom-deps	phantom-dep:lightningcss-darwin-x64	AI (phantom-deps): Platform-specific optional binary dependency; standard pattern for native bindings.	ai	2026/04/23
dependencies	unvetted-dep:detect-libc	AI (dependencies): detect-libc is a standard utility for NAPI-RS/native addon packages to select the correct libc variant binary. Expected and benign for this package.	ai	2026/04/23
phantom-deps	phantom-dep:lightningcss-linux-arm64-musl	AI (phantom-deps): Platform-specific optional binary dependency; standard pattern for native bindings.	ai	2026/04/23
phantom-deps	phantom-dep:lightningcss-linux-arm-gnueabihf	AI (phantom-deps): Platform-specific optional binary dependency; standard pattern for native bindings.	ai	2026/04/23
phantom-deps	phantom-dep:lightningcss-darwin-arm64	AI (phantom-deps): Platform-specific optional binary dependency; standard pattern for native bindings.	ai	2026/04/23
source-diff	source-size-tripled	AI (source-diff): Size increase is TypeScript/Flow type definitions (ast.d.ts, ast.js.flow), standard build artifacts for mature packages.	ai	2026/04/23
phantom-deps	phantom-dep:lightningcss-linux-x64-gnu	AI (phantom-deps): Platform-specific optional binary dependency; standard pattern for native bindings.	ai	2026/04/23
phantom-deps	phantom-dep:lightningcss-linux-x64-musl	AI (phantom-deps): Platform-specific optional binary dependency; standard pattern for native bindings.	ai	2026/04/23
phantom-deps	phantom-dep:lightningcss-win32-x64-msvc	AI (phantom-deps): Platform-specific optional binary dependency; standard pattern for native bindings.	ai	2026/04/23