@quartzds/icon-generator

Quartz design system icon generator

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

quartzfmquartzds-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
install-scripts	install-script:postinstall	AI (install-scripts): Postinstall runs 'husky' for git hooks setup; standard dev tooling, stable for this package.	ai	2026/05/21
dependencies	unvetted-dep:fantasticon	AI (dependencies): fantasticon is a legitimate icon font generation library; its use is expected and stable for this icon-generator package.	ai	2026/05/12
dependencies	unvetted-dep:svgo	AI (dependencies): svgo is a well-known SVG optimizer; stable legitimate dep for an icon generator.	ai	2026/05/06
dependencies	unvetted-dep:@twbs/fantasticon	AI (dependencies): @twbs/fantasticon is the Bootstrap-maintained icon font generator; expected dep here.	ai	2026/05/06
dependencies	unvetted-dep:@figma/code-connect	AI (dependencies): Official Figma SDK; legitimate dep for a design-system icon generator.	ai	2026/05/06
provenance	no-provenance	AI (provenance): Common for this package's age and ecosystem; no other risk signals present.	ai	2026/04/30

Versions (showing 6 of 6)

Version	Deps	Published
10.3.1	9 / 0	2025-12-23
10.3.0	9 / 0	2025-12-22
10.2.4	8 / 0	2025-10-28
10.2.3	8 / 0	2025-10-28
10.2.1	8 / 0	2025-10-23
10.2.0	8 / 34	2025-10-22

v10.3.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.