radium
A set of tools to manage inline styles on React elements
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): Radium is an active library; large file additions between minor/major versions are expected and consistent with feature development, not injected code. | ai | |
| phantom-deps | phantom-dep:babel-preset-stage-1 | AI (phantom-deps): Babel preset used only during build; referenced in .babelrc config, not runtime code. Expected pattern. | ai | |
| phantom-deps | phantom-dep:babel-plugin-add-module-exports | AI (phantom-deps): Babel plugin used only during build; referenced in .babelrc config, not runtime code. Expected pattern. | ai | |
| phantom-deps | phantom-dep:babel-plugin-transform-decorators-legacy | AI (phantom-deps): Babel plugin used only during build; referenced in .babelrc config, not runtime code. Expected pattern. | ai | |
| phantom-deps | phantom-dep:babel-plugin-transform-es2015-modules-commonjs | AI (phantom-deps): Babel plugin used only during build; referenced in .babelrc config, not runtime code. Expected pattern. | ai | |
| phantom-deps | phantom-dep:babel-cli | AI (phantom-deps): babel-cli is a devDependency build tool referenced in scripts/config; not a runtime import. Expected pattern for this package. | ai | |
| phantom-deps | phantom-dep:babel-preset-react | AI (phantom-deps): Babel preset used only during build; referenced in .babelrc config, not runtime code. Expected pattern. | ai | |
| phantom-deps | phantom-dep:babel-preset-es2015-loose | AI (phantom-deps): Babel preset used only during build; referenced in .babelrc config, not runtime code. Expected pattern. | ai | |
| phantom-deps | phantom-dep:babel-plugin-flow-comments | AI (phantom-deps): babel-plugin-flow-comments is a legitimate build dependency referenced in config; not a security concern for this package. | ai | |
| phantom-deps | phantom-dep:array-find | AI (phantom-deps): array-find is a legitimate runtime dependency declared in package.json; phantom-dep finding reflects config-only reference, not a security concern for this package. | ai | |
| phantom-deps | phantom-dep:babel-core | AI (phantom-deps): babel-core is legitimately declared as a runtime dependency for babel transpilation in this package's build pipeline; phantom-dep detection is a false positive here. | ai | |
| provenance | no-provenance | AI (provenance): Radium is a long-established package predating Sigstore provenance; absence of attestation is expected and not a risk signal for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): False positive on established package; no-keywords and README signals are noise for a well-known library. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Team reorganization at Formidable Labs; new maintainers are known Formidable employees. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Team reorganization at Formidable Labs; removed maintainers reflect normal staff turnover. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Radium is in maintenance mode; sporadic publishes are expected for a mature/deprecated package. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate org transition at Formidable Labs; ryan.roemer is a long-standing trusted publisher with 380 approved packages. | ai | |
| phantom-deps | phantom-dep:babel | AI (phantom-deps): babel is a runtime dep used in build scripts (npm run lib), not imported in JS source. Expected for this package's build-on-install pattern. | ai | |
| phantom-deps | phantom-dep:rimraf | AI (phantom-deps): rimraf is used in build scripts (npm run lib/babel), not imported in JS source. Expected for this package's build-on-install pattern. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall only checks for the existence of the lib/ directory and triggers a local Babel compile if missing. No network access or remote code execution; stable benign pattern for this package. | ai |
Versions (showing 30 of 30)
| Version | Deps | Published |
|---|---|---|
| 0.26.2 | 4 / 54 | |
| 0.26.1 | 4 / 54 | |
| 0.24.1 | 3 / 46 | |
| 0.24.0 | 3 / 46 | |
| 0.23.0 | 3 / 46 | |
| 0.22.1 | 3 / 46 | |
| 0.22.0 | 3 / 46 | |
| 0.21.2 | 4 / 49 | |
| 0.21.1 | 4 / 51 | |
| 0.21.0 | 4 / 51 | |
| 0.19.6 | 4 / 50 | |
| 0.19.5 | 4 / 50 | |
| 0.19.4 | 4 / 49 | |
| 0.19.3 | 4 / 49 | |
| 0.19.2 | 5 / 48 | |
| 0.18.1 | 4 / 47 | |
| 0.17.0 | 12 / 39 | |
| 0.16.3 | 5 / 44 | |
| 0.15.3 | 7 / 35 | |
| 0.13.5 | 4 / 27 | |
| 0.13.3 | 5 / 27 | |
| 0.11.1 | 1 / 6 | |
| 0.11.0 | 1 / 6 | |
| 0.10.3 | 1 / 6 | |
| 0.10.2 | 1 / 6 | |
| 0.10.1 | 1 / 6 | |
| 0.10.0 | 1 / 4 | |
| 0.9.1 | 1 / 4 | |
| 0.9.0 | 1 / 4 | |
| 0.0.1 | 0 / 0 |
v0.26.2
2 findingsThis version was published by a different npm account than previous versions on 2022-03-02. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-07-10. This could indicate a legitimate maintainer transition or an account compromise.
v0.24.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-03-29. This could indicate a legitimate maintainer transition or an account compromise.
v0.23.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-01-18. This could indicate a legitimate maintainer transition or an account compromise.
v0.21.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-01-08. This could indicate a legitimate maintainer transition or an account compromise.
v0.19.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-07-20. This could indicate a legitimate maintainer transition or an account compromise.
v0.18.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-03-24. This could indicate a legitimate maintainer transition or an account compromise.
v0.16.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-01-21. This could indicate a legitimate maintainer transition or an account compromise.
v0.15.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.