styled-components
Fast, expressive styling for React.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): GitHub Actions CI/CD publishing commonly omits gitHead; SLSA provenance compensates. | ai | |
| phantom-deps | phantom-dep:shallowequal | AI (phantom-deps): shallowequal is declared and used via config/bundled code; stable false positive for styled-components. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher changed from human to GitHub Actions CI/CD with SLSA provenance — this is the expected modern publishing pattern for styled-components. | ai | |
| provenance | slsa-provenance | AI (provenance): SLSA provenance confirms CI/CD publishing from the official repo; positive signal. | ai | |
| provenance | no-provenance | AI (provenance): styled-components is a long-established, high-trust package. Lack of Sigstore provenance is common for packages of this age and does not represent a meaningful risk here. | ai | |
| dependencies | unvetted-dep:@types/stylis | AI (dependencies): @types/stylis is a TypeScript type definition package for stylis, a direct dependency of styled-components. Shipping it as a runtime dep to expose types to consumers is an established pattern for this package. | ai | |
| phantom-deps | phantom-dep:@types/stylis | AI (phantom-deps): @types/stylis is a type-only package used by convention for TypeScript consumers; not being directly imported in JS source is expected behavior. | ai | |
| dependencies | unvetted-dep:css-to-react-native | AI (dependencies): css-to-react-native is a well-known CSS parsing utility expected as a dependency for a CSS-in-JS library targeting React Native. Stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@emotion/is-prop-valid | AI (dependencies): @emotion/is-prop-valid is a well-known Emotion ecosystem utility for prop filtering. Its use in styled-components is documented and expected. Stable false positive for this package. | ai |
Versions (showing 20 of 20)
| Version | Deps | Published |
|---|---|---|
| 6.4.2 | 4 / 49 | |
| 6.4.1 | 4 / 49 | |
| 6.4.0 | 4 / 49 | |
| 6.3.12 | 9 / 51 | |
| 6.3.11 | 9 / 51 | |
| 6.3.10 | 9 / 51 | |
| 6.3.9 | 9 / 51 | |
| 6.3.8 | 9 / 51 | |
| 6.3.7 | 9 / 51 | |
| 6.3.6 | 9 / 51 | |
| 6.3.5 | 9 / 51 | |
| 6.3.4 | 9 / 51 | |
| 6.3.3 | 9 / 51 | |
| 6.3.2 | 9 / 51 | |
| 6.3.1 | 9 / 51 | |
| 6.3.0 | 9 / 51 | |
| 6.2.0 | 9 / 51 | |
| 6.1.19 | 9 / 47 | |
| 6.1.18 | 9 / 47 | |
| 6.1.2 | 9 / 47 |
v6.4.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.3.4
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-01-11. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.2.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-06. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.1.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.