sass
A pure JavaScript implementation of Sass.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): sass ships as a compiled Dart-to-JS bundle; size growth between versions is expected as features are added to the Dart runtime and compiler. No obfuscation or payload indicators. | ai | |
| phantom-deps | phantom-dep:chokidar | AI (phantom-deps): chokidar is a legitimate runtime dependency used by the sass CLI for --watch mode; it is correctly declared in package.json and its indirect usage pattern is stable for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Dart Sass transpilation regularly produces new JS source files; expected for this package's build process. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): source-map-js is a legitimate dependency for a transpiler generating source maps, not an attack vector. | ai | |
| dependencies | unvetted-dep:@parcel/watcher | AI (dependencies): @parcel/watcher is a well-known, widely-used file-watching library from the Parcel ecosystem; its use in sass for watch-mode is expected and benign. | ai | |
| provenance | no-provenance | AI (provenance): sass is a long-established, high-trust package; lack of Sigstore provenance is not a meaningful risk signal here. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change reflects documented transition to GitHub Actions automation for the official Dart Sass project; SLSA provenance confirms integrity. | ai | |
| source-diff | encoded-string-file:sass.dart.js | AI (source-diff): Encoded strings are UTF-8 state machine lookup tables in transpiled Dart code; standard pattern, not malicious. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer removal alone is normal in long-lived projects; no new maintainers added and publisher has clean track record. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require with try-catch for optional @parcel/watcher dependency; standard pattern for optional native bindings. | ai | |
| dependencies | unvetted-dep:source-map-js | AI (dependencies): source-map-js is a standard, established utility for source map handling in transpilers; appropriate for Sass. | ai |
Versions (showing 51 of 282)
| Version | Deps | Published |
|---|---|---|
| 1.100.0 | 3 / 0 | |
| 1.99.0 | 3 / 0 | |
| 1.98.0 | 3 / 0 | |
| 1.97.3 | 3 / 0 | |
| 1.97.2 | 3 / 0 | |
| 1.97.1 | 3 / 0 | |
| 1.97.0 | 3 / 0 | |
| 1.96.0 | 3 / 0 | |
| 1.95.1 | 3 / 0 | |
| 1.95.0 | 3 / 0 | |
| 1.94.3 | 3 / 0 | |
| 1.94.2 | 3 / 0 | |
| 1.94.1 | 3 / 0 | |
| 1.94.0 | 3 / 0 | |
| 1.93.3 | 3 / 0 | |
| 1.93.2 | 3 / 0 | |
| 1.93.1 | 3 / 0 | |
| 1.93.0 | 3 / 0 | |
| 1.92.1 | 3 / 0 | |
| 1.92.0 | 3 / 0 | |
| 1.91.0 | 3 / 0 | |
| 1.90.0 | 3 / 0 | |
| 1.89.2 | 3 / 0 | |
| 1.89.1 | 3 / 0 | |
| 1.89.0 | 3 / 0 | |
| 1.88.0 | 3 / 0 | |
| 1.87.0 | 3 / 0 | |
| 1.86.3 | 3 / 0 | |
| 1.86.2 | 3 / 0 | |
| 1.86.1 | 3 / 0 | |
| 1.86.0 | 3 / 0 | |
| 1.85.1 | 3 / 0 | |
| 1.85.0 | 3 / 0 | |
| 1.84.0 | 3 / 0 | |
| 1.83.4 | 3 / 0 | |
| 1.83.3 | 3 / 0 | |
| 1.83.2 | 3 / 0 | |
| 1.83.1 | 3 / 0 | |
| 1.83.0 | 3 / 0 | |
| 1.82.0 | 3 / 0 | |
| 1.81.1 | 3 / 0 | |
| 1.81.0 | 3 / 0 | |
| 1.80.7 | 3 / 0 | |
| 1.80.6 | 3 / 0 | |
| 1.80.5 | 4 / 0 | |
| 1.80.4 | 4 / 0 | |
| 1.80.3 | 4 / 0 | |
| 1.80.2 | 4 / 0 | |
| 1.80.1 | 4 / 0 | |
| 1.80.0 | 4 / 0 | |
| 1.79.6 | 4 / 0 |
v1.100.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.99.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.98.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.97.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.97.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.97.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.97.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.95.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.95.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.94.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.94.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.94.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-10. This could indicate a legitimate maintainer transition or an account compromise.
v1.93.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.93.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.92.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.92.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.91.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.89.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.89.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.88.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.87.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.86.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.86.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.85.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.85.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.84.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.83.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.83.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.83.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.83.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.83.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.82.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.81.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.81.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.80.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.80.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.80.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.80.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.80.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.80.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.