typography
Opinionated toolkit for building websites with beautiful typography
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Size increase is due to adding multiple build output formats (CJS, ESM, UMD) and source maps via microbundle — a legitimate build tooling change. | ai | |
| source-diff | obfuscated-file:dist/index.m.js | AI (source-diff): Standard microbundle minified output; not obfuscated malware. This is the expected build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/typography.js | AI (source-diff): Standard microbundle minified output; not obfuscated malware. This is the expected build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/typography.m.js | AI (source-diff): Standard microbundle minified output; not obfuscated malware. This is the expected build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/index.js | AI (source-diff): dist/index.js is a standard microbundle-generated minified build artifact for this library. Content is readable minified JS with no malicious patterns; stable for this package. | ai | |
| source-diff | obfuscated-file:dist/index.modern.js | AI (source-diff): dist/index.modern.js is a standard microbundle-generated ESM build artifact. Content is readable minified JS with no malicious patterns; stable for this package. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): The raw IP 0.0.0.0:8080 is a standard webpack-dev-server local development bind address in webpack.config.js — not a suspicious external network request. Stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance on npm by years; publisher has strong track record. No provenance is expected and acceptable here. | ai |
Versions (showing 51 of 66)
| Version | Deps | Published |
|---|---|---|
| 0.16.24 | 7 / 1 | |
| 0.16.21 | 7 / 1 | |
| 0.16.19 | 7 / 1 | |
| 0.16.17 | 7 / 1 | |
| 0.16.16 | 7 / 1 | |
| 0.16.15 | 7 / 1 | |
| 0.16.6 | 7 / 0 | |
| 0.16.5 | 7 / 0 | |
| 0.16.4 | 7 / 0 | |
| 0.16.0 | 7 / 0 | |
| 0.15.12 | 7 / 0 | |
| 0.15.10 | 7 / 0 | |
| 0.15.8 | 7 / 0 | |
| 0.15.6 | 7 / 0 | |
| 0.15.5 | 7 / 0 | |
| 0.15.4 | 7 / 0 | |
| 0.15.3 | 7 / 0 | |
| 0.15.0 | 7 / 0 | |
| 0.14.0 | 7 / 0 | |
| 0.13.3 | 7 / 0 | |
| 0.13.1 | 7 / 0 | |
| 0.13.0 | 7 / 0 | |
| 0.12.4 | 7 / 0 | |
| 0.12.3 | 7 / 0 | |
| 0.12.2 | 7 / 0 | |
| 0.12.1 | 7 / 0 | |
| 0.12.0 | 7 / 0 | |
| 0.11.11 | 7 / 0 | |
| 0.11.7 | 7 / 0 | |
| 0.11.6 | 7 / 0 | |
| 0.11.4 | 7 / 0 | |
| 0.11.1 | 7 / 0 | |
| 0.11.0 | 7 / 0 | |
| 0.10.6 | 7 / 0 | |
| 0.10.1 | 7 / 0 | |
| 0.10.0 | 7 / 0 | |
| 0.9.1 | 6 / 42 | |
| 0.9.0 | 6 / 39 | |
| 0.8.3 | 6 / 39 | |
| 0.8.2 | 6 / 39 | |
| 0.8.1 | 6 / 39 | |
| 0.8.0 | 10 / 39 | |
| 0.7.0 | 9 / 30 | |
| 0.6.2 | 9 / 30 | |
| 0.6.1 | 9 / 30 | |
| 0.6.0 | 9 / 30 | |
| 0.5.3 | 9 / 30 | |
| 0.5.2 | 9 / 30 | |
| 0.5.1 | 9 / 30 | |
| 0.5.0 | 9 / 29 | |
| 0.4.0 | 11 / 29 |
v0.16.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.21
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kylemathews.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.15
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kylemathews.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kylemathews.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kylemathews.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kylemathews.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kylemathews.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kylemathews.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kylemathews.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.