← Home

sass

npm Repository Homepage

A pure JavaScript implementation of Sass.

82
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

nex3hcatlin

Keywords

stylescsssasspreprocessorcss

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff source-size-tripled AI (source-diff): sass ships as a compiled Dart-to-JS bundle; size growth between versions is expected as features are added to the Dart runtime and compiler. No obfuscation or payload indicators. ai
phantom-deps phantom-dep:chokidar AI (phantom-deps): chokidar is a legitimate runtime dependency used by the sass CLI for --watch mode; it is correctly declared in package.json and its indirect usage pattern is stable for this package. ai
source-diff large-new-source-files AI (source-diff): Dart Sass transpilation regularly produces new JS source files; expected for this package's build process. ai
publish-pattern new-deps-added AI (publish-pattern): source-map-js is a legitimate dependency for a transpiler generating source maps, not an attack vector. ai
dependencies unvetted-dep:@parcel/watcher AI (dependencies): @parcel/watcher is a well-known, widely-used file-watching library from the Parcel ecosystem; its use in sass for watch-mode is expected and benign. ai
provenance no-provenance AI (provenance): sass is a long-established, high-trust package; lack of Sigstore provenance is not a meaningful risk signal here. ai
provenance publisher-changed AI (provenance): Publisher change reflects documented transition to GitHub Actions automation for the official Dart Sass project; SLSA provenance confirms integrity. ai
source-diff encoded-string-file:sass.dart.js AI (source-diff): Encoded strings are UTF-8 state machine lookup tables in transpiled Dart code; standard pattern, not malicious. ai
maintainer-change maintainer-removed AI (maintainer-change): Maintainer removal alone is normal in long-lived projects; no new maintainers added and publisher has clean track record. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require with try-catch for optional @parcel/watcher dependency; standard pattern for optional native bindings. ai
dependencies unvetted-dep:source-map-js AI (dependencies): source-map-js is a standard, established utility for source map handling in transpilers; appropriate for Sass. ai

Versions (showing 82 of 282)

Version Deps Published
1.27.1 1 / 0
1.27.0 1 / 0
1.26.12 1 / 0
1.26.11 1 / 0
1.26.10 1 / 0
1.26.9 1 / 0
1.26.8 1 / 0
1.26.7 1 / 0
1.26.6 1 / 0
1.26.5 1 / 0
1.26.3 1 / 0
1.26.2 1 / 0
1.26.1 1 / 0
1.26.0 1 / 0
1.25.0 1 / 0
1.24.5 1 / 0
1.24.4 1 / 0
1.24.3 1 / 0
1.24.2 1 / 0
1.24.1 1 / 0
1.24.0 1 / 0
1.23.7 1 / 0
1.23.6 1 / 0
1.23.5 1 / 0
1.23.3 1 / 0
1.23.2 1 / 0
1.23.1 1 / 0
1.23.0 1 / 0
1.22.12 1 / 0
1.22.10 1 / 0
1.22.9 1 / 0
1.22.7 1 / 0
1.22.6 1 / 0
1.22.5 1 / 0
1.22.4 1 / 0
1.22.3 1 / 0
1.22.2 1 / 0
1.22.1 1 / 0
1.22.0 1 / 0
1.21.0 1 / 0
1.20.3 1 / 0
1.20.1 1 / 0
1.19.0 1 / 0
1.18.0 1 / 0
1.17.4 1 / 0
1.17.3 1 / 0
1.17.2 1 / 0
1.17.1 1 / 0
1.17.0 1 / 0
1.16.1 1 / 0
1.16.0 1 / 0
1.15.3 1 / 0
1.15.2 1 / 0
1.15.1 1 / 0
1.15.0 1 / 0
1.14.3 1 / 0
1.14.2 1 / 0
1.14.1 1 / 0
1.14.0 1 / 0
1.13.4 1 / 0
1.13.3 1 / 0
1.13.2 1 / 0
1.13.1 1 / 0
1.13.0 1 / 0
1.12.0 1 / 0
1.11.0 1 / 0
1.10.4 1 / 0
1.10.3 1 / 0
1.10.2 1 / 0
1.10.1 1 / 0
1.10.0 1 / 0
1.9.2 1 / 0
1.9.1 1 / 0
1.9.0 1 / 0
1.8.0 1 / 0
1.7.3 1 / 0
1.7.2 1 / 0
1.7.1 1 / 0
1.7.0 1 / 0
1.6.2 1 / 0
1.6.1 1 / 0
1.6.0 1 / 0