← Home

@tailwindcss/upgrade

npm Repository Homepage

A utility-first CSS framework for rapidly building custom user interfaces.

20
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

reininkadamwathanmalfaitrobin

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): malfaitrobin (Robin Malfait) is a core Tailwind Labs maintainer; publisher rotation within the org is expected. ai
phantom-deps phantom-dep:braces AI (phantom-deps): braces is a declared runtime dependency; phantom-dep heuristic is a false positive here. ai
phantom-deps phantom-dep:dedent AI (phantom-deps): CLI tool; dependencies loaded dynamically via config, not direct imports. ai
phantom-deps phantom-dep:globby AI (phantom-deps): CLI tool; dependencies loaded dynamically via config, not direct imports. ai
phantom-deps phantom-dep:semver AI (phantom-deps): CLI tool; dependencies loaded dynamically via config, not direct imports. ai
phantom-deps phantom-dep:postcss AI (phantom-deps): CLI tool; dependencies loaded dynamically via config, not direct imports. ai
phantom-deps phantom-dep:prettier AI (phantom-deps): CLI tool; dependencies loaded dynamically via config, not direct imports. ai
phantom-deps phantom-dep:picocolors AI (phantom-deps): CLI tool; dependencies loaded dynamically via config, not direct imports. ai
phantom-deps phantom-dep:mri AI (phantom-deps): CLI tool; dependencies loaded dynamically via config, not direct imports. ai
phantom-deps phantom-dep:postcss-import AI (phantom-deps): CLI tool; dependencies loaded dynamically via config, not direct imports. ai
phantom-deps phantom-dep:enhanced-resolve AI (phantom-deps): CLI tool; dependencies loaded dynamically via config, not direct imports. ai
phantom-deps phantom-dep:@tailwindcss/node AI (phantom-deps): CLI tool; dependencies loaded dynamically via config, not direct imports. ai
phantom-deps phantom-dep:@tailwindcss/oxide AI (phantom-deps): CLI tool; dependencies loaded dynamically via config, not direct imports. ai
phantom-deps phantom-dep:tree-sitter-typescript AI (phantom-deps): CLI tool; dependencies loaded dynamically via config, not direct imports. ai
phantom-deps phantom-dep:postcss-selector-parser AI (phantom-deps): CLI tool; dependencies loaded dynamically via config, not direct imports. ai
phantom-deps phantom-dep:tree-sitter AI (phantom-deps): CLI tool; dependencies loaded dynamically via config, not direct imports. ai
phantom-deps phantom-dep:jiti AI (phantom-deps): CLI tool; dependencies loaded dynamically via config, not direct imports. ai

Versions (showing 20 of 20)

Version Deps Published
4.3.0 16 / 3
4.2.4 16 / 3
4.2.3 16 / 3
4.2.2 16 / 3
4.2.1 17 / 4
4.2.0 17 / 4
4.1.18 17 / 4
4.1.17 17 / 4
4.1.16 17 / 4
4.1.15 17 / 4
4.1.14 17 / 4
4.1.13 17 / 4
4.1.12 17 / 4
4.1.11 17 / 4
4.1.10 17 / 4
4.1.9 17 / 4
4.1.8 17 / 4
4.1.7 17 / 4
4.1.6 17 / 4
4.1.5 17 / 4

v4.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.2.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.2.2

2 findings
HIGH Publisher changed: adamwathan → malfaitrobin (on 2026-03-18) provenance

This version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.2.1

2 findings
HIGH Publisher changed: adamwathan → malfaitrobin (on 2026-02-23) provenance

This version was published by a different npm account than previous versions on 2026-02-23. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.2.0

2 findings
HIGH Publisher changed: adamwathan → malfaitrobin (on 2026-02-18) provenance

This version was published by a different npm account than previous versions on 2026-02-18. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.18

2 findings
HIGH Publisher changed: adamwathan → malfaitrobin (on 2025-12-11) provenance

This version was published by a different npm account than previous versions on 2025-12-11. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.17

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.16

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.15

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.14

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.13

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.12

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.11

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.10

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.9

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.8

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.7

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.6

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.