@emotion/styled
styled API for emotion
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Emotion project historically has long release gaps; the same automation bot (emotion-release-bot) published this version with a clean 27/0 track record. Dormancy is consistent with project history. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large file count reflects multiple environment-specific build outputs (edge-light, browser, worker, workerd) added to the exports map, consistent with the package.json exports structure. Not injected code. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): mitchellhamilton is the original emotion creator who stepped back; emmatown is a known contributor. This is a documented legitimate transition in the emotion project, not a takeover. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): All new deps are first-party @emotion/* packages or @babel/runtime; this is a v10→v11 major version restructuring within the official emotion-js monorepo, not a suspicious third-party addition. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): andarist (Artem Zakharchenko) is a well-known legitimate maintainer of the emotion-js project; this addition is a routine contributor formalization, not a suspicious takeover. | ai | |
| dependencies | unvetted-dep:@emotion/styled-base | AI (dependencies): @emotion/styled-base is a sibling package in the Emotion monorepo, published by the same trusted emotion-release-bot. This dependency is expected and stable across all versions. | ai | |
| dependencies | unvetted-peer-dep:@emotion/core | AI (dependencies): @emotion/core is a sibling Emotion monorepo package from the same trusted publisher. Peer dep is expected and stable across all versions. | ai | |
| dependencies | unvetted-dep:@emotion/is-prop-valid | AI (dependencies): @emotion/is-prop-valid is a first-party emotion scoped package and a documented core dependency of @emotion/styled; stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): emotion-release-bot has a clean track record; lack of Sigstore provenance is common and not a risk signal for this established publisher. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 11.14.1 | 6 / 4 | |
| 11.14.0 | 6 / 4 | |
| 11.13.5 | 6 / 4 | |
| 11.13.0 | 6 / 4 | |
| 11.12.0 | 6 / 4 | |
| 11.10.4 | 6 / 5 | |
| 11.9.3 | 5 / 5 | |
| 10.0.27 | 2 / 3 |
v11.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.13.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.10.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.