rgb
converts all sorts of colors to rgb format.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| typosquat | typosquat.levenshtein:pg | AI (typosquat): 'rgb' is a semantically distinct, 13-year-old package with 192k weekly downloads. Levenshtein proximity to 'pg' is coincidental; no impersonation intent. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): Package is 13 years old with 192k weekly downloads. Version 0.0.0 reflects early npm era conventions, not malicious intent. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Sparse metadata is consistent with early npm era (2011-2012). High download volume and age confirm this is a legitimate, established package. | ai | |
| email-domain | unclaimed-email:kamicane | AI (email-domain): Author field uses @kamicane as a social handle, not a real email domain. Publisher account is long-established (4832 days) with clean record. | ai |
v0.1.0
2 findingsMaintainer email '@kamicane' uses domain 'kamicane' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.