postcss-preset-env
Convert modern CSS into something browsers understand
51
Versions
MIT-0
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
jonathantnealalagunaromainmenke
Keywords
csscsswgfeaturesfuturelistsnextpostcsspostcss-pluginspecificationsspecsstagesw3c
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): alaguna is the csstools org maintainer who took over postcss-preset-env as part of the csstools/postcss-plugins monorepo migration; legitimate and well-documented transition. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): postcss-preset-env is a plugin-pack that bundles CSS feature plugins; adding new @csstools/* and postcss-* deps is its core growth pattern and all new deps are from the same csstools org or established postcss ecosystem. | ai | |
| phantom-deps | phantom-dep:postcss-value-parser | AI (phantom-deps): postcss-value-parser is a legitimate declared dependency used indirectly or in build/config tooling; not a security concern for this package. | ai | |
| source-diff | obfuscated-file:dist/cli.mjs | AI (source-diff): dist/cli.mjs is a rollup-bundled CLI artifact for postcss-preset-env; minification is expected and the code contains only legitimate PostCSS ecosystem imports with no malicious patterns. | ai | |
| source-diff | net-exec-file:dist/cli.mjs | AI (source-diff): The net+exec signal is a false positive; the file uses fs/url/tty Node builtins for CLI I/O, not for network-based code execution. No fetch, eval, or child_process usage present. | ai | |
| npm-metadata | url-dep:postcss-font-family-system-ui | AI (npm-metadata): GitHub URL dep points to the same trusted publisher's own repo; acceptable for an early-stage plugin not yet on npm registry. | ai | |
| dependencies | unvetted-dep:postcss-color-function | AI (dependencies): postcss-color-function is a legitimate PostCSS plugin for CSS color function transforms; expected dependency for this meta-plugin. | ai | |
| dependencies | unvetted-dep:postcss-image-set-polyfill | AI (dependencies): postcss-image-set-polyfill is a legitimate postcss plugin; unvetted status reflects review queue lag, not malicious intent. | ai | |
| dependencies | unvetted-dep:postcss-font-family-system-ui | AI (dependencies): postcss-font-family-system-ui is authored by jonathantneal (same trusted publisher); GitHub dep is expected for this early-stage plugin. | ai | |
| dependencies | unvetted-dep:postcss-apply | AI (dependencies): postcss-apply is a legitimate postcss plugin by the same author ecosystem; unvetted status reflects review queue lag, not malicious intent. | ai | |
| source-diff | obfuscated-file:dist/index.mjs | AI (source-diff): Standard rollup-bundled ESM build artifact; sample shows legitimate PostCSS plugin code with known CSS tooling imports, no obfuscation or malicious content. | ai | |
| provenance | publisher-changed | AI (provenance): Documented, legitimate maintainer transition from jonathantneal to csstools org (romainmenke). romainmenke has strong track record (99 approved, 0 rejected). Transfer is reflected in the official csstools/postcss-plugins monorepo. | ai | |
| source-diff | obfuscated-file:dist/index.cjs | AI (source-diff): Standard rollup-bundled build artifact; sample shows legitimate PostCSS plugin code with known CSS tooling imports, no obfuscation or malicious content. | ai | |
| dependencies | unvetted-dep:postcss-custom-properties | AI (dependencies): postcss-custom-properties is a standard csstools PostCSS plugin; expected dependency for this plugin pack. | ai | |
| dependencies | unvetted-dep:autoprefixer | AI (dependencies): autoprefixer is a core, well-known PostCSS plugin; expected dependency for postcss-preset-env. | ai | |
| dependencies | unvetted-dep:cssdb | AI (dependencies): cssdb is the canonical CSS feature database used by postcss-preset-env; legitimate dependency. | ai | |
| dependencies | unvetted-dep:postcss-nesting | AI (dependencies): postcss-nesting is a standard csstools PostCSS plugin; expected dependency for this plugin pack. | ai | |
| dependencies | unvetted-dep:postcss-logical | AI (dependencies): postcss-logical is a standard csstools PostCSS plugin; expected dependency for this plugin pack. | ai | |
| phantom-deps | phantom-dep:@csstools/postcss-progressive-custom-properties | AI (phantom-deps): @csstools/postcss-progressive-custom-properties is a legitimate runtime dep from the same org; indirect usage pattern is stable for this plugin-pack. | ai | |
| phantom-deps | phantom-dep:cssdb | AI (phantom-deps): cssdb is a legitimate runtime dep listed in package.json; referenced in config/docs rather than direct imports — stable pattern for this plugin-pack. | ai | |
| phantom-deps | phantom-dep:browserslist | AI (phantom-deps): browserslist is a legitimate runtime dep; indirect usage pattern is stable for this package. | ai | |
| phantom-deps | phantom-dep:postcss-clamp | AI (phantom-deps): postcss-clamp is a legitimate runtime dep; indirect usage pattern is stable for this plugin-pack. | ai | |
| phantom-deps | phantom-dep:postcss-page-break | AI (phantom-deps): postcss-page-break is a legitimate runtime dep; indirect usage pattern is stable for this plugin-pack. | ai | |
| phantom-deps | phantom-dep:postcss-font-variant | AI (phantom-deps): postcss-font-variant is a legitimate runtime dep; indirect usage pattern is stable for this plugin-pack. | ai | |
| phantom-deps | phantom-dep:postcss-opacity-percentage | AI (phantom-deps): postcss-opacity-percentage is a legitimate runtime dep; indirect usage pattern is stable for this plugin-pack. | ai | |
| phantom-deps | phantom-dep:postcss-replace-overflow-wrap | AI (phantom-deps): postcss-replace-overflow-wrap is a legitimate runtime dep; indirect usage pattern is stable for this plugin-pack. | ai | |
| dependencies | unvetted-dep:postcss-color-mod-function | AI (dependencies): postcss-color-mod-function is a known csstools/jonathantneal PostCSS plugin; its inclusion is expected and appropriate for postcss-preset-env's purpose. | ai | |
| dependencies | unvetted-dep:postcss-selector-matches | AI (dependencies): postcss-selector-matches is a known csstools/jonathantneal PostCSS plugin; its inclusion is expected and appropriate for postcss-preset-env's purpose. | ai | |
| dependencies | unvetted-dep:postcss-color-gray | AI (dependencies): postcss-color-gray is a known csstools/jonathantneal PostCSS plugin; its inclusion is expected and appropriate for postcss-preset-env's purpose. | ai | |
| license | uncommon-license:MIT-0 | AI (license): MIT-0 is a valid, well-understood permissive open-source license (MIT without attribution requirement); stable for this package. | ai | |
| provenance | no-provenance | AI (provenance): Established csstools package from known maintainer; lack of provenance is common and not a security risk here. | ai |
Versions (showing 51 of 147)
| Version | Deps | Published |
|---|---|---|
| 11.3.0 | 75 / 0 | |
| 11.2.1 | 73 / 0 | |
| 11.2.0 | 73 / 0 | |
| 11.1.3 | 72 / 0 | |
| 11.1.2 | 72 / 0 | |
| 11.1.1 | 72 / 0 | |
| 11.1.0 | 72 / 0 | |
| 11.0.1 | 71 / 0 | |
| 11.0.0 | 71 / 0 | |
| 10.6.1 | 71 / 0 | |
| 10.6.0 | 71 / 0 | |
| 10.5.0 | 69 / 0 | |
| 10.4.0 | 67 / 0 | |
| 10.3.1 | 66 / 0 | |
| 10.3.0 | 66 / 0 | |
| 10.2.4 | 64 / 0 | |
| 10.2.3 | 64 / 0 | |
| 10.2.2 | 64 / 0 | |
| 10.2.1 | 64 / 0 | |
| 10.2.0 | 64 / 0 | |
| 10.1.6 | 63 / 0 | |
| 10.1.5 | 63 / 0 | |
| 10.1.4 | 63 / 0 | |
| 10.1.3 | 63 / 0 | |
| 10.1.2 | 63 / 0 | |
| 10.1.1 | 63 / 0 | |
| 10.1.0 | 63 / 0 | |
| 10.0.9 | 61 / 0 | |
| 10.0.8 | 61 / 0 | |
| 10.0.7 | 61 / 0 | |
| 10.0.6 | 61 / 0 | |
| 10.0.5 | 61 / 0 | |
| 10.0.4 | 61 / 0 | |
| 10.0.3 | 61 / 0 | |
| 10.0.2 | 61 / 0 | |
| 10.0.1 | 61 / 0 | |
| 10.0.0 | 61 / 0 | |
| 9.6.0 | 61 / 0 | |
| 9.5.16 | 60 / 0 | |
| 9.5.15 | 60 / 0 | |
| 9.5.14 | 60 / 0 | |
| 9.5.13 | 60 / 0 | |
| 9.5.12 | 60 / 0 | |
| 9.5.11 | 60 / 0 | |
| 9.5.10 | 60 / 0 | |
| 9.5.9 | 60 / 0 | |
| 9.5.8 | 60 / 0 | |
| 9.5.7 | 60 / 0 | |
| 9.5.6 | 60 / 0 | |
| 9.5.5 | 60 / 0 | |
| 9.5.4 | 60 / 0 |
v11.3.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.5.6
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.5.5
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.5.4
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.