@wordpress/icons
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Fires in build tooling (lib/generate-library.js), not published runtime code; env spread is used to unset GIT_WORK_TREE. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Fires in build tooling (lib/build-worker-utils.js); child_process is used for build steps, not runtime package behavior. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Scoped @wordpress/icons is an official WordPress package; Levenshtein match to 'cors' is a false positive. | ai | |
| phantom-deps | phantom-dep:change-case | AI (phantom-deps): change-case is declared in dependencies; phantom-dep heuristic misfires on build-time usage patterns in this monorepo package. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 13.3.0 | 3 / 0 | |
| 13.2.0 | 3 / 0 | |
| 13.1.0 | 3 / 0 | |
| 13.0.0 | 3 / 0 | |
| 12.2.0 | 3 / 0 | |
| 12.1.0 | 3 / 0 | |
| 12.0.0 | 3 / 0 | |
| 11.8.0 | 3 / 0 | |
| 11.7.0 | 3 / 0 | |
| 11.6.0 | 2 / 0 | |
| 11.5.0 | 2 / 0 | |
| 11.4.0 | 2 / 0 | |
| 11.3.0 | 2 / 0 | |
| 11.2.0 | 2 / 0 |
v13.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.7.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.4.0
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/WordPress/gutenberg/blob/2cf13ec6cf86153c9b3cf369bf5c59046f5cd950/lib/generate-library.js#L44 42 | // Unset GIT_WORK_TREE to avoid path resolution issues 43 | // in commit hook environments (e.g. GUI git clients) > 44 | env: { 45 | ...process.env, 46 | GIT_WORK_TREE: undefined,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/WordPress/gutenberg/blob/2cf13ec6cf86153c9b3cf369bf5c59046f5cd950/lib/generate-library.js#L76 74 | async function cleanup() { 75 | await execFileAsync( 'git', [ 'clean', '-Xfq', ICON_LIBRARY_DIR ], { > 76 | env: { 77 | ...process.env, 78 | GIT_WORK_TREE: undefined,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.3.0
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/WordPress/gutenberg/blob/b35cf1a2dce04665e99fd6b9c2891c0b336361b9/lib/generate-library.js#L44 42 | // Unset GIT_WORK_TREE to avoid path resolution issues 43 | // in commit hook environments (e.g. GUI git clients) > 44 | env: { 45 | ...process.env, 46 | GIT_WORK_TREE: undefined,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/WordPress/gutenberg/blob/b35cf1a2dce04665e99fd6b9c2891c0b336361b9/lib/generate-library.js#L76 74 | async function cleanup() { 75 | await execFileAsync( 'git', [ 'clean', '-Xfq', ICON_LIBRARY_DIR ], { > 76 | env: { 77 | ...process.env, 78 | GIT_WORK_TREE: undefined,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.2.0
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/WordPress/gutenberg/blob/77aa1f194edceafe8ac2a1b9438bf84b557e76e3/lib/generate-library.js#L44 42 | // Unset GIT_WORK_TREE to avoid path resolution issues 43 | // in commit hook environments (e.g. GUI git clients) > 44 | env: { 45 | ...process.env, 46 | GIT_WORK_TREE: undefined,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/WordPress/gutenberg/blob/77aa1f194edceafe8ac2a1b9438bf84b557e76e3/lib/generate-library.js#L76 74 | async function cleanup() { 75 | await execFileAsync( 'git', [ 'clean', '-Xfq', ICON_LIBRARY_DIR ], { > 76 | env: { 77 | ...process.env, 78 | GIT_WORK_TREE: undefined,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.