← Home

postcss-custom-properties

npm Repository Homepage

Use Custom Properties Queries in CSS

3
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jonathantnealalagunaromainmenkemooxsemigradsky

Keywords

csscsswgcustomdeclarationspostcsspostcss-pluginpropertiesspecificationvariablesvarsw3c

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:@csstools/utilities AI (dependencies): First-party csstools package from the same monorepo and publisher (romainmenke); unvetted status reflects registry gap, not actual risk. ai
dependencies unvetted-dep:@csstools/cascade-layer-name-parser AI (dependencies): First-party csstools package from the same monorepo and publisher (romainmenke); unvetted status reflects registry gap, not actual risk. ai
phantom-deps phantom-dep:@csstools/utilities AI (phantom-deps): Monorepo build artifact; deps referenced in config files is expected for csstools plugin packages. ai
phantom-deps phantom-dep:postcss-value-parser AI (phantom-deps): Monorepo build artifact; deps referenced in config files is expected for csstools plugin packages. ai
phantom-deps phantom-dep:@csstools/css-tokenizer AI (phantom-deps): Monorepo build artifact; deps referenced in config files is expected for csstools plugin packages. ai
phantom-deps phantom-dep:@csstools/css-parser-algorithms AI (phantom-deps): Monorepo build artifact; deps referenced in config files is expected for csstools plugin packages. ai
phantom-deps phantom-dep:@csstools/cascade-layer-name-parser AI (phantom-deps): Monorepo build artifact; deps referenced in config files is expected for csstools plugin packages. ai

Versions (showing 3 of 3)

Version Deps Published
15.0.1 5 / 0
15.0.0 5 / 0
13.3.12 5 / 0

v15.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.3.12

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.