stylelint-config-recommended

Recommended shareable config for Stylelint

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

jeddy3ybiquitousromainmenkentwb

Keywords

stylelintstylelint-configrecommended

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Stylelint org moved to GitHub Actions for automated releases; publisher-changed to GitHub Actions with SLSA provenance is the expected pattern for this package going forward.	ai	2026/04/23
maintainer-change	maintainer-removed	AI (maintainer-change): Maintainer list consolidation is consistent with the Stylelint org's move to CI/CD-based releases; SLSA provenance confirms legitimate org-controlled publishing.	ai	2026/04/23

Versions (showing 24 of 24)

Version	Deps	Published
18.0.0	0 / 10	2026-01-15
17.0.0	0 / 11	2025-07-29
16.0.0	0 / 11	2025-04-06
15.0.0	0 / 11	2025-01-12
14.0.1	0 / 11	2024-06-21
14.0.0	0 / 11	2023-12-08
13.0.0	0 / 13	2023-07-04
12.0.0	0 / 13	2023-04-16
11.0.0	0 / 13	2023-03-16
10.0.1	0 / 12	2023-02-09
10.0.0	0 / 12	2023-02-09
9.0.0	0 / 12	2022-08-11
8.0.0	0 / 12	2022-06-08
7.0.0	0 / 12	2022-02-08
6.0.0	0 / 12	2021-10-21
5.0.0	0 / 14	2021-04-24
4.0.0	0 / 14	2021-03-06
3.0.0	0 / 10	2019-09-15
2.2.0	0 / 10	2019-04-13
2.1.0	0 / 9	2018-02-18
2.0.1	0 / 9	2017-12-19
2.0.0	0 / 9	2017-11-26
1.0.0	0 / 9	2017-07-16
0.1.0	0 / 9	2017-07-01

v18.0.0

2 findings

HIGH Publisher changed: jeddy3 → GitHub Actions (on 2026-01-15) provenance

This version was published by a different npm account than previous versions on 2026-01-15. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v17.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v16.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v15.0.0

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: ybiquitous → jeddy3 (on 2025-01-12) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-01-12. This could indicate a legitimate maintainer transition or an account compromise.

v14.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.