@codecademy/gamut-kit
Styleguide & Component library for Codecademy
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-takeover | AI (maintainer-change): Org account rename from codecademy to codecademy-eng; confirmed same maintainer by email match across 122 approved packages. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): codecademy-eng is the renamed org account, not a new external party. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): codecademy account removal is the other side of the org rename; same entity. | ai | |
| provenance | no-provenance | AI (provenance): Large org monorepo with long publish history; absence of Sigstore attestation is not a risk signal here. | ai | |
| dependencies | unvetted-dep:component-test-setup | AI (dependencies): component-test-setup is a test utility, also flagged as phantom (not directly imported); stable low-risk pattern for this package. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): High-frequency monorepo CI publishing pattern; 8939 versions published over 5+ years is consistent with automated pipelines. | ai | |
| phantom-deps | phantom-dep:@codecademy/gamut-patterns | AI (phantom-deps): Same-org aggregator pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:@codecademy/gamut | AI (phantom-deps): Kit package re-exports org deps; not directly imported by design. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal design system kit; sparse README and no keywords are expected for internal tooling packages. | ai | |
| phantom-deps | phantom-dep:@codecademy/gamut-illustrations | AI (phantom-deps): Same-org aggregator pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:@codecademy/variance | AI (phantom-deps): Same-org aggregator pattern; phantom-dep is a stable false positive here. | ai | |
| phantom-deps | phantom-dep:component-test-setup | AI (phantom-deps): Referenced in config files per finding; not a real phantom dep. | ai | |
| phantom-deps | phantom-dep:@codecademy/gamut-icons | AI (phantom-deps): Same-org aggregator pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:@codecademy/gamut-tests | AI (phantom-deps): Same-org aggregator pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:@codecademy/gamut-styles | AI (phantom-deps): Same-org aggregator pattern; stable false positive. | ai |
Versions (showing 100 of 104)
| Version | Deps | Published |
|---|---|---|
| 2.0.0 | 8 / 0 | |
| 1.0.0 | 8 / 0 | |
| 0.6.603 | 8 / 0 | |
| 0.6.602 | 8 / 0 | |
| 0.6.601 | 8 / 0 | |
| 0.6.600 | 8 / 0 | |
| 0.6.599 | 8 / 0 | |
| 0.6.598 | 8 / 0 | |
| 0.6.597 | 8 / 0 | |
| 0.6.596 | 8 / 0 | |
| 0.6.595 | 8 / 0 | |
| 0.6.594 | 8 / 0 | |
| 0.6.593 | 8 / 0 | |
| 0.6.592 | 8 / 0 | |
| 0.6.591 | 8 / 0 | |
| 0.6.590 | 8 / 0 | |
| 0.6.589 | 8 / 0 | |
| 0.6.588 | 8 / 0 | |
| 0.6.587 | 8 / 0 | |
| 0.6.586 | 8 / 0 | |
| 0.6.585 | 8 / 0 | |
| 0.6.584 | 8 / 0 | |
| 0.6.583 | 8 / 0 | |
| 0.6.582 | 8 / 0 | |
| 0.6.581 | 8 / 0 | |
| 0.6.580 | 8 / 0 | |
| 0.6.579 | 8 / 0 | |
| 0.6.578 | 8 / 0 | |
| 0.6.577 | 8 / 0 | |
| 0.6.576 | 8 / 0 | |
| 0.6.575 | 8 / 0 | |
| 0.6.574 | 8 / 0 | |
| 0.6.573 | 8 / 0 | |
| 0.6.572 | 8 / 0 | |
| 0.6.571 | 8 / 0 | |
| 0.6.570 | 8 / 0 | |
| 0.6.569 | 8 / 0 | |
| 0.6.568 | 8 / 0 | |
| 0.6.567 | 8 / 0 | |
| 0.6.566 | 8 / 0 | |
| 0.6.565 | 8 / 0 | |
| 0.6.564 | 8 / 0 | |
| 0.6.563 | 8 / 0 | |
| 0.6.562 | 8 / 0 | |
| 0.6.561 | 8 / 0 | |
| 0.6.560 | 8 / 0 | |
| 0.6.559 | 8 / 0 | |
| 0.6.558 | 8 / 0 | |
| 0.6.557 | 8 / 0 | |
| 0.6.556 | 8 / 0 | |
| 0.6.555 | 8 / 0 | |
| 0.6.554 | 8 / 0 | |
| 0.6.553 | 8 / 0 | |
| 0.6.552 | 8 / 0 | |
| 0.6.551 | 8 / 0 | |
| 0.6.550 | 8 / 0 | |
| 0.6.549 | 8 / 0 | |
| 0.6.548 | 8 / 0 | |
| 0.6.547 | 8 / 0 | |
| 0.6.546 | 8 / 0 | |
| 0.6.545 | 8 / 0 | |
| 0.6.544 | 8 / 0 | |
| 0.6.543 | 8 / 0 | |
| 0.6.542 | 8 / 0 | |
| 0.6.541 | 8 / 0 | |
| 0.6.540 | 8 / 0 | |
| 0.6.539 | 8 / 0 | |
| 0.6.538 | 8 / 0 | |
| 0.6.537 | 8 / 0 | |
| 0.6.536 | 8 / 0 | |
| 0.6.535 | 8 / 0 | |
| 0.6.534 | 8 / 0 | |
| 0.6.533 | 8 / 0 | |
| 0.6.532 | 8 / 0 | |
| 0.6.531 | 8 / 0 | |
| 0.6.530 | 8 / 0 | |
| 0.6.529 | 8 / 0 | |
| 0.6.528 | 8 / 0 | |
| 0.6.527 | 8 / 0 | |
| 0.6.526 | 8 / 0 | |
| 0.6.525 | 8 / 0 | |
| 0.6.524 | 8 / 0 | |
| 0.6.523 | 8 / 0 | |
| 0.6.522 | 8 / 0 | |
| 0.6.521 | 8 / 0 | |
| 0.6.520 | 8 / 0 | |
| 0.6.519 | 8 / 0 | |
| 0.6.518 | 8 / 0 | |
| 0.6.517 | 8 / 0 | |
| 0.6.516 | 8 / 0 | |
| 0.6.515 | 8 / 0 | |
| 0.6.514 | 8 / 0 | |
| 0.6.513 | 8 / 0 | |
| 0.6.512 | 8 / 0 | |
| 0.6.511 | 8 / 0 | |
| 0.6.510 | 8 / 0 | |
| 0.6.509 | 8 / 0 | |
| 0.6.508 | 8 / 0 | |
| 0.6.507 | 8 / 0 | |
| 0.6.506 | 8 / 0 |
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.603
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.602
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.601
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.600
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.599
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.598
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.597
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.596
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.595
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.594
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.592
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.591
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.590
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.589
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.588
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.587
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.586
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.585
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.584
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.583
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.582
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.581
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.580
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.579
3 findingsAll previous maintainers (codecademy) were replaced by new maintainers (codecademy-eng). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (codecademy-eng) than the most recent previously approved version (codecademy) on 2026-01-29, but codecademy-eng is listed as a maintainer on prior approved versions (matched on email). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.6.578
3 findingsAll previous maintainers (codecademy) were replaced by new maintainers (codecademy-eng). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (codecademy-eng) than the most recent previously approved version (codecademy) on 2026-01-28, but codecademy-eng is listed as a maintainer on prior approved versions (matched on email). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.6.577
3 findingsAll previous maintainers (codecademy) were replaced by new maintainers (codecademy-eng). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (codecademy-eng) than the most recent previously approved version (codecademy) on 2026-01-26, but codecademy-eng is listed as a maintainer on prior approved versions (matched on email). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.6.576
3 findingsAll previous maintainers (codecademy) were replaced by new maintainers (codecademy-eng). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (codecademy-eng) than the most recent previously approved version (codecademy) on 2026-01-12, but codecademy-eng is listed as a maintainer on prior approved versions (matched on email). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.6.575
3 findingsAll previous maintainers (codecademy) were replaced by new maintainers (codecademy-eng). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (codecademy-eng) than the most recent previously approved version (codecademy) on 2026-01-05, but codecademy-eng is listed as a maintainer on prior approved versions (matched on email). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.6.574
3 findingsAll previous maintainers (codecademy) were replaced by new maintainers (codecademy-eng). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (codecademy-eng) than the most recent previously approved version (codecademy) on 2025-12-23, but codecademy-eng is listed as a maintainer on prior approved versions (matched on email). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.6.573
3 findingsAll previous maintainers (codecademy) were replaced by new maintainers (codecademy-eng). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (codecademy-eng) than the most recent previously approved version (codecademy) on 2025-12-10, but codecademy-eng is listed as a maintainer on prior approved versions (matched on email). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.6.572
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.571
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.570
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.569
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.568
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.567
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.566
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.565
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.564
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.563
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.562
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.561
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.560
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.559
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.558
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.557
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.556
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.555
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.554
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.553
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.552
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.551
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.550
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.549
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.548
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.547
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.546
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.545
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.544
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.543
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.542
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.541
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.540
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.539
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.538
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.537
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.536
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.535
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.534
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.533
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.532
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.531
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.530
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.529
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.528
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.527
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.526
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.525
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.524
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.523
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.522
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.521
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.520
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.519
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.518
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.517
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.516
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.515
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.514
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.513
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.512
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.511
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.510
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.509
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.508
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.507
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.506
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.