postcss-loader
PostCSS loader for webpack
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Maintainer transition within webpack-contrib org; evilebottnawi has strong track record (327 approved packages). | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps (jiti, klona, semver, cosmiconfig) are all established; jiti replaces cosmiconfig-typescript-loader for config loading. | ai | |
| source-diff | net-exec-file:dist/utils.js | AI (source-diff): Dynamic code execution in utils.js is legitimate config loading via cosmiconfig; core functionality of webpack loaders, not malware. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Legitimate handoff; michael-ciniawsky removed as part of org transition, not a takeover signal. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): postcss-loader is an official webpack org package with a strong publisher track record; dormancy reflects stability, not abandonment. Legitimate maintenance resume. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require() is intentional design: postcss-loader resolves user-configured parser/syntax/stringifier plugins by name from webpack config. This is documented behavior, not arbitrary code loading. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers (evilebottnawi, sokra, jhnns) are well-known webpack-contrib contributors. Legitimate transition. | ai | |
| dependencies | unvetted-dep:jiti | AI (dependencies): jiti is a legitimate, transparent JavaScript transpiler widely used in build tooling; appropriate for postcss-loader's use case. | ai | |
| provenance | no-provenance | AI (provenance): postcss-loader is a well-established webpack org package; lack of provenance is common and not a material risk here. | ai |
Versions (showing 88 of 88)
| Version | Deps | Published |
|---|---|---|
| 8.2.1 | 3 / 37 | |
| 8.2.0 | 3 / 48 | |
| 8.1.1 | 3 / 39 | |
| 8.1.0 | 3 / 39 | |
| 8.0.0 | 3 / 39 | |
| 7.3.4 | 3 / 39 | |
| 7.3.3 | 3 / 39 | |
| 7.3.2 | 4 / 39 | |
| 7.3.1 | 4 / 39 | |
| 7.3.0 | 4 / 39 | |
| 7.2.4 | 4 / 39 | |
| 7.2.3 | 4 / 39 | |
| 7.2.2 | 4 / 39 | |
| 7.2.1 | 4 / 39 | |
| 7.2.0 | 4 / 39 | |
| 7.1.0 | 3 / 36 | |
| 7.0.2 | 3 / 36 | |
| 7.0.1 | 3 / 35 | |
| 7.0.0 | 3 / 35 | |
| 6.2.1 | 3 / 35 | |
| 6.2.0 | 3 / 35 | |
| 6.1.1 | 3 / 35 | |
| 6.1.0 | 3 / 35 | |
| 6.0.0 | 3 / 35 | |
| 5.3.0 | 3 / 36 | |
| 5.2.0 | 3 / 36 | |
| 5.1.0 | 3 / 36 | |
| 5.0.0 | 3 / 36 | |
| 4.3.0 | 5 / 36 | |
| 4.2.0 | 5 / 36 | |
| 4.1.0 | 5 / 36 | |
| 4.0.4 | 5 / 36 | |
| 4.0.3 | 5 / 36 | |
| 4.0.2 | 5 / 36 | |
| 4.0.1 | 5 / 36 | |
| 4.0.0 | 5 / 36 | |
| 3.0.0 | 4 / 9 | |
| 2.1.6 | 4 / 10 | |
| 2.1.5 | 4 / 10 | |
| 2.1.4 | 4 / 10 | |
| 2.1.3 | 4 / 10 | |
| 2.1.2 | 4 / 10 | |
| 2.1.1 | 4 / 10 | |
| 2.1.0 | 4 / 10 | |
| 2.0.10 | 4 / 9 | |
| 2.0.9 | 4 / 9 | |
| 2.0.8 | 4 / 9 | |
| 2.0.7 | 4 / 9 | |
| 2.0.6 | 4 / 9 | |
| 2.0.5 | 4 / 9 | |
| 2.0.4 | 4 / 9 | |
| 2.0.3 | 4 / 9 | |
| 2.0.2 | 4 / 9 | |
| 2.0.1 | 4 / 9 | |
| 2.0.0 | 4 / 9 | |
| 1.3.3 | 4 / 15 | |
| 1.3.2 | 4 / 15 | |
| 1.3.1 | 4 / 15 | |
| 1.3.0 | 4 / 15 | |
| 1.2.2 | 4 / 15 | |
| 1.2.1 | 4 / 14 | |
| 1.2.0 | 4 / 14 | |
| 1.1.1 | 4 / 12 | |
| 1.1.0 | 4 / 12 | |
| 1.0.0 | 4 / 12 | |
| 0.13.0 | 2 / 11 | |
| 0.12.0 | 2 / 11 | |
| 0.11.1 | 3 / 11 | |
| 0.11.0 | 3 / 11 | |
| 0.10.1 | 3 / 11 | |
| 0.10.0 | 2 / 11 | |
| 0.9.1 | 2 / 11 | |
| 0.9.0 | 2 / 11 | |
| 0.8.2 | 2 / 11 | |
| 0.8.1 | 2 / 11 | |
| 0.8.0 | 2 / 9 | |
| 0.7.0 | 2 / 8 | |
| 0.6.0 | 2 / 8 | |
| 0.5.1 | 2 / 7 | |
| 0.5.0 | 2 / 7 | |
| 0.4.4 | 2 / 7 | |
| 0.4.3 | 2 / 7 | |
| 0.4.2 | 2 / 7 | |
| 0.4.1 | 2 / 7 | |
| 0.4.0 | 2 / 7 | |
| 0.3.0 | 2 / 8 | |
| 0.2.0 | 2 / 8 | |
| 0.1.0 | 2 / 8 |
v8.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-03-11. This could indicate a legitimate maintainer transition or an account compromise.
v5.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-03-05. This could indicate a legitimate maintainer transition or an account compromise.
v5.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-02-02. This could indicate a legitimate maintainer transition or an account compromise.
v4.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-01-21. This could indicate a legitimate maintainer transition or an account compromise.
v4.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-11-19. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-10-09. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-10-02. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-09-15. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-09-08. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-09-07. This could indicate a legitimate maintainer transition or an account compromise.
v2.1.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-04-16. This could indicate a legitimate maintainer transition or an account compromise.
v2.1.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-03-20. This could indicate a legitimate maintainer transition or an account compromise.
v2.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.10
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-01-03. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.9
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-11-24. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.8
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-10-14. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.5
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-05-10. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-05-10. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-05-09. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-05-09. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-05-08. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-05-08. This could indicate a legitimate maintainer transition or an account compromise.
v1.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.