postcss-normalize
Use the parts of normalize.css or sanitize.css you need from your browserslist
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of seaneking is consistent with the csstools org taking over maintenance from original authors. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): romainmenke and alaguna are known csstools org members; this is a documented ecosystem-wide maintainer transition. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate transfer from jonathantneal to romainmenke (csstools org). romainmenke is a trusted csstools maintainer with 774 approved packages. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy explained by maintainer transition; csstools org resumed maintenance of this PostCSS plugin. | ai | |
| phantom-deps | phantom-dep:@csstools/normalize.css | AI (phantom-deps): @csstools/normalize.css is a core dependency used indirectly through config; phantom-dep pattern is expected for PostCSS plugins. | ai | |
| phantom-deps | phantom-dep:browserslist | AI (phantom-deps): browserslist is a core dependency used indirectly through config; phantom-dep pattern is expected for PostCSS plugins. | ai | |
| phantom-deps | phantom-dep:sanitize.css | AI (phantom-deps): sanitize.css is a core dependency used indirectly through config; phantom-dep pattern is expected for PostCSS plugins. | ai | |
| dependencies | unvetted-dep:sanitize.css | AI (dependencies): sanitize.css is a core dependency of postcss-normalize by design — the package exists to apply sanitize.css rules selectively. Stable false positive for this package. | ai | |
| dependencies | unvetted-dep:postcss-browser-comments | AI (dependencies): postcss-browser-comments is a core dependency used to filter CSS by browserslist. Stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@csstools/normalize.css | AI (dependencies): @csstools/normalize.css is a core dependency of postcss-normalize by design — same csstools org. Stable false positive for this package. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 13.0.1 | 3 / 5 | |
| 13.0.0 | 3 / 5 | |
| 12.0.0 | 3 / 5 | |
| 11.0.0 | 3 / 5 | |
| 8.0.1 | 5 / 10 |
v13.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v13.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.0.0
2 findingsThis version was published by a different npm account than previous versions on 2024-09-07. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-09-07. This could indicate a legitimate maintainer transition or an account compromise.
v8.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.