@terrazzo/parser — Greenflagged

Parser/validator for the Design Tokens Community Group (DTCG) standard.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

drewpowers

Keywords

design tokensdtcgcliw3cdesign systemtypescriptsasscssstyle tokensstyle systemlintinglint

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	slsa-provenance	AI (provenance): Package consistently published via CI with SLSA attestation; strong supply chain integrity signal.	ai	2026/05/17
phantom-deps	phantom-dep:fast-deep-equal	AI (phantom-deps): Declared as runtime dep; may be used indirectly via re-exports or conditionally — stable false positive for this package.	ai	2026/05/17
dependencies	unvetted-dep:merge-anything	AI (dependencies): merge-anything is a popular, legitimate utility package. No security concerns.	ai	2026/04/26
phantom-deps	phantom-dep:@types/culori	AI (phantom-deps): @types/culori is a type-only dependency; not directly imported at runtime but used for TypeScript consumers. Stable pattern for this package.	ai	2026/04/26
dependencies	unvetted-dep:@types/babel__code-frame	AI (dependencies): TypeScript type definitions for @babel/code-frame; a legitimate, well-known package. Stable false positive for this package.	ai	2026/04/26
dependencies	unvetted-dep:@types/culori	AI (dependencies): TypeScript type definitions for culori; a legitimate, well-known package. Stable false positive for this package.	ai	2026/04/26
phantom-deps	phantom-dep:@types/babel__code-frame	AI (phantom-deps): Type-only package, framework-scoped; no runtime risk. Stable false positive for this package.	ai	2026/04/26
typosquat	typosquat.levenshtein:parcel	AI (typosquat): @terrazzo/parser is a scoped package whose name describes its function (DTCG token parser); the levenshtein match to 'parcel' is a false positive that will recur on every version.	ai	2026/04/25

Versions (showing 7 of 7)

Version	Deps	Published
2.2.0	9 / 1	2026-05-16
2.1.0	9 / 1	2026-04-25
2.0.3	9 / 1	2026-04-14
2.0.2	9 / 1	2026-04-10
2.0.1	9 / 1	2026-04-09
2.0.0	9 / 1	2026-03-17
0.10.5	9 / 1	2025-11-28

v2.2.0

2 findings

HIGH Publisher changed: drewpowers → GitHub Actions (on 2026-05-16) provenance

This version was published by a different npm account than previous versions on 2026-05-16. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.