myth
A CSS preprocessor that acts like a polyfill for future versions of the spec.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Size increase is due to addition of a browserified distribution bundle (myth.js) packaging all CSS processing dependencies. Expected for this type of tooling package. | ai | |
| source-diff | net-exec-file:myth.js | AI (source-diff): myth.js is a browserify UMD bundle of the CSS preprocessor and its deps. The 'network calls' are browserify module resolution patterns, not actual network I/O. Stable false positive for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Findings are in myth.js, a Browserify browser bundle that uses integer module IDs (e.g. require(42)) — not dynamic external module loading. This pattern is stable across all versions of this package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): dominicbarnes was added as maintainer in 2014 as part of a legitimate transition from segmentio. This is a historical, stable change with no ongoing risk. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance by many years; absence of attestation is expected for this era of publishing. | ai | |
| provenance | publisher-changed | AI (provenance): The segmentio→ianstormtaylor transition occurred in 2014 and is a well-documented legitimate handoff. Ian Storm Taylor is a known contributor with a strong track record on npm. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in a CSS preprocessor/polyfill is consistent with expression evaluation (e.g., calc, color functions). The try/catch pattern indicates defensive use, not malicious intent. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): commander is a legitimate CLI dependency used by myth's bin/myth entry point; phantom detection is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:is-browser | AI (phantom-deps): is-browser is a legitimate utility for myth's browser/node dual-environment support; phantom detection is a false positive. | ai | |
| phantom-deps | phantom-dep:read-file-stdin | AI (phantom-deps): read-file-stdin is a legitimate I/O utility for myth's CLI stdin support; phantom detection is a false positive. | ai | |
| phantom-deps | phantom-dep:to-space-case | AI (phantom-deps): to-space-case is a legitimate string utility used by myth's CSS processing pipeline; phantom detection is a false positive. | ai | |
| phantom-deps | phantom-dep:to-slug-case | AI (phantom-deps): to-slug-case is a legitimate string utility used by myth's CSS processing pipeline; phantom detection is a false positive. | ai | |
| phantom-deps | phantom-dep:node-watch | AI (phantom-deps): node-watch is a legitimate file-watching dependency for myth's watch mode; phantom detection is a false positive. | ai | |
| phantom-deps | phantom-dep:write-file-stdout | AI (phantom-deps): write-file-stdout is a legitimate I/O utility for myth's CLI stdout support; phantom detection is a false positive. | ai |
Versions (showing 31 of 31)
| Version | Deps | Published |
|---|---|---|
| 1.5.0 | 21 / 2 | |
| 1.4.0 | 20 / 2 | |
| 1.3.0 | 20 / 2 | |
| 1.2.1 | 20 / 2 | |
| 1.2.0 | 20 / 2 | |
| 1.1.1 | 20 / 2 | |
| 1.1.0 | 18 / 3 | |
| 1.0.4 | 15 / 2 | |
| 1.0.3 | 15 / 2 | |
| 1.0.2 | 15 / 2 | |
| 1.0.1 | 15 / 2 | |
| 1.0.0 | 15 / 2 | |
| 0.3.4 | 13 / 2 | |
| 0.3.3 | 13 / 2 | |
| 0.3.2 | 13 / 2 | |
| 0.3.1 | 13 / 2 | |
| 0.3.0 | 13 / 2 | |
| 0.2.0 | 13 / 1 | |
| 0.1.8 | 13 / 1 | |
| 0.1.7 | 12 / 1 | |
| 0.1.6 | 11 / 1 | |
| 0.1.5 | 11 / 1 | |
| 0.1.4 | 10 / 1 | |
| 0.1.2 | 10 / 1 | |
| 0.1.1 | 10 / 1 | |
| 0.1.0 | 10 / 1 | |
| 0.0.5 | 10 / 1 | |
| 0.0.4 | 10 / 1 | |
| 0.0.3 | 10 / 1 | |
| 0.0.2 | 10 / 1 | |
| 0.0.1 | 9 / 1 |
v1.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2015-01-26. This could indicate a legitimate maintainer transition or an account compromise.
v1.2.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: dominicbarnes.
This version was published by a different npm account than previous versions on 2014-10-16. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2014-09-12. This could indicate a legitimate maintainer transition or an account compromise.
v1.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2014-07-14. This could indicate a legitimate maintainer transition or an account compromise.
v1.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
2 findingsThis version was published by a different npm account than previous versions on 2014-05-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2014-03-18. This could indicate a legitimate maintainer transition or an account compromise.
v0.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2013-12-17. This could indicate a legitimate maintainer transition or an account compromise.
v0.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.