@weapp-tailwindcss/merge
Tailwind Merge v3 的 weapp 运行时封装,自动处理 escape/unescape。
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions CI publishing with SLSA attestation from the same repo; consistent with legitimate automation adoption. | ai | |
| dependencies | unvetted-dep:tailwind-merge-v2 | AI (dependencies): npm alias pattern (tailwind-merge-v2 -> tailwind-merge@^2.6.0) is a documented technique for shipping multiple major version support. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Part of a legitimate monorepo; README link dump and missing keywords are cosmetic issues, not spam indicators for this package. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall conditionally loads dist/postinstall.cjs only if it exists; benign setup pattern for this established package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require resolves a fixed local path (dist/postinstall.cjs), not user-controlled input; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@weapp-core/escape | AI (phantom-deps): Sibling monorepo dep; declared as runtime dependency, phantom-dep heuristic is a false positive here. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 2.2.0 | 3 / 1 | |
| 2.1.6 | 3 / 0 | |
| 2.1.5 | 3 / 0 | |
| 2.1.4 | 3 / 0 | |
| 2.1.3 | 3 / 0 | |
| 2.1.2 | 3 / 0 | |
| 2.1.1 | 3 / 0 | |
| 2.1.0 | 3 / 0 | |
| 2.0.1 | 8 / 1 | |
| 2.0.0 | 8 / 1 |
v2.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.5
2 findingsThis version was published by a different npm account than previous versions on 2026-01-26. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.4
2 findingsThis version was published by a different npm account than previous versions on 2026-01-21. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.3
2 findingsThis version was published by a different npm account than previous versions on 2025-12-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.1
2 findingsScript: node scripts/postinstall.mjs
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.0
2 findingsScript: node scripts/postinstall.cjs
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.