@primer/stylelint-config MIT 2 versions

@primer/stylelint-config

npm Repository Homepage

Sharable stylelint config used by GitHub's CSS

Versions

MIT

License

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

primer-css

githubprimercssstylelint-configstylelint

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:dynamic-require	AI (semgrep): Require path is a hardcoded template string loading @primer/primitives data files; no user-controlled input.	ai	2026/05/21
phantom-deps	phantom-dep:postcss-scss	AI (phantom-deps): Stylelint config references plugins by name in config objects, not via direct import; stable pattern for this package.	ai	2026/05/21
phantom-deps	phantom-dep:stylelint-scss	AI (phantom-deps): Same config-reference pattern; stable false positive for this package.	ai	2026/05/21
phantom-deps	phantom-dep:postcss-styled-syntax	AI (phantom-deps): Same config-reference pattern; stable false positive for this package.	ai	2026/05/21
phantom-deps	phantom-dep:stylelint-browser-compat	AI (phantom-deps): Same config-reference pattern; stable false positive for this package.	ai	2026/05/21
phantom-deps	phantom-dep:stylelint-config-standard	AI (phantom-deps): Same config-reference pattern; stable false positive for this package.	ai	2026/05/21
phantom-deps	phantom-dep:stylelint-value-no-unknown-custom-properties	AI (phantom-deps): Same config-reference pattern; stable false positive for this package.	ai	2026/05/21

Version	Deps	Published
13.6.0	10 / 20	2026-03-17
13.4.0	10 / 19	2025-10-06

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.