← Home

@tryghost/color-utils

npm Repository Homepage

`npm install @tryghost/color-utils --save`

14
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

zimoatghostallouiskernalghostchrisraibleerisdsjohnonolankevinansfieldcobbspuraileencgnjlohminimaluminiumsam-lordpauladamdavisbobvaneckjoeegrigghadretjonhickmanerik-ghostsagzyvershwalmike182ukluissazevedolsingernickmoretonrenatoworksrblstr-ghostevanhahn-ghostweylandswartghost-slimertmciescojonatan-ghost9larsons

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Ghost Foundation migrated publishing to GitHub Actions CI with SLSA attestation; stable pattern for this org. ai
maintainer-change maintainer-added AI (maintainer-change): New maintainers are Ghost Foundation employees (ghost-suffixed accounts); legitimate org roster change. ai
maintainer-change maintainer-removed AI (maintainer-change): Removal of ibalosh consistent with org-level maintainer rotation, not a takeover signal. ai
phantom-deps phantom-dep:@types/color AI (phantom-deps): @types/color is a type declaration package; not directly imported at runtime by convention. ai

Versions (showing 14 of 14)

Version Deps Published
0.2.18 2 / 11
0.2.17 2 / 11
0.2.16 2 / 11
0.2.15 2 / 11
0.2.14 2 / 11
0.2.13 2 / 10
0.2.12 2 / 10
0.2.10 2 / 10
0.2.9 2 / 10
0.2.8 2 / 10
0.2.7 2 / 10
0.2.6 2 / 10
0.2.5 2 / 10
0.2.4 2 / 10

v0.2.18

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.16

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.15

2 findings
HIGH Publisher changed: vershwal → GitHub Actions (on 2026-02-26) provenance

This version was published by a different npm account than previous versions on 2026-02-26. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.14

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.13

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.12

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.10

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: 9larsons → kevinansfield (on 2025-07-22) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-07-22. This could indicate a legitimate maintainer transition or an account compromise.

v0.2.9

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: daniellockyer → sagzy (on 2025-07-08) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-07-08. This could indicate a legitimate maintainer transition or an account compromise.

v0.2.8

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: daniellockyer → tmciesco (on 2025-07-03) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-07-03. This could indicate a legitimate maintainer transition or an account compromise.

v0.2.7

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: daniellockyer → 9larsons (on 2025-06-25) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-06-25. This could indicate a legitimate maintainer transition or an account compromise.

v0.2.6

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: daniellockyer → erisds (on 2025-05-25) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-05-25. This could indicate a legitimate maintainer transition or an account compromise.

v0.2.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.