react-base16-styling
React styling with base16 color scheme support
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Legitimate transfer from alexkuz to methuselah96 as part of the move to the reduxjs/redux-devtools monorepo. methuselah96 is a trusted Redux ecosystem maintainer. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): methuselah96 and timdorr are established Redux DevTools maintainers; this reflects the project's move to the reduxjs org. | ai | |
| provenance | missing-githead | AI (provenance): Monorepo tooling change from npm to pnpm; publisher is established redux-devtools maintainer with strong track record. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Stable monorepo sub-package with infrequent releases; known maintainer with 329 approved packages. | ai | |
| provenance | no-provenance | AI (provenance): No provenance is common; publisher methuselah96 is a trusted redux-devtools maintainer. | ai |
Versions (showing 25 of 25)
| Version | Deps | Published |
|---|---|---|
| 0.10.0 | 4 / 13 | |
| 0.9.1 | 7 / 18 | |
| 0.9.0 | 7 / 21 | |
| 0.8.2 | 6 / 16 | |
| 0.8.1 | 6 / 16 | |
| 0.8.0 | 6 / 1 | |
| 0.7.0 | 4 / 6 | |
| 0.6.0 | 4 / 13 | |
| 0.5.3 | 4 / 13 | |
| 0.5.2 | 5 / 13 | |
| 0.5.1 | 5 / 13 | |
| 0.5.0 | 5 / 13 | |
| 0.4.7 | 5 / 9 | |
| 0.4.6 | 5 / 9 | |
| 0.4.5 | 5 / 9 | |
| 0.4.4 | 5 / 9 | |
| 0.4.3 | 5 / 9 | |
| 0.4.1 | 5 / 9 | |
| 0.4.0 | 4 / 9 | |
| 0.3.0 | 2 / 8 | |
| 0.2.3 | 2 / 8 | |
| 0.2.2 | 2 / 8 | |
| 0.2.1 | 2 / 8 | |
| 0.2.0 | 2 / 8 | |
| 0.1.0 | 2 / 8 |
v0.10.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: methuselah96.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
2 findingsThis version was published by a different npm account than previous versions on 2020-08-14. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: alexkuz.
v0.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.