styled-components
Fast, expressive styling for React.
20
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
mxstbrprobablyupphilpl
Keywords
reactcsscss-in-jsstyled-componentsstyling
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): GitHub Actions CI/CD publishing commonly omits gitHead; SLSA provenance compensates. | ai | |
| phantom-deps | phantom-dep:shallowequal | AI (phantom-deps): shallowequal is declared and used via config/bundled code; stable false positive for styled-components. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher changed from human to GitHub Actions CI/CD with SLSA provenance — this is the expected modern publishing pattern for styled-components. | ai | |
| provenance | slsa-provenance | AI (provenance): SLSA provenance confirms CI/CD publishing from the official repo; positive signal. | ai | |
| provenance | no-provenance | AI (provenance): styled-components is a long-established, high-trust package. Lack of Sigstore provenance is common for packages of this age and does not represent a meaningful risk here. | ai | |
| dependencies | unvetted-dep:@types/stylis | AI (dependencies): @types/stylis is a TypeScript type definition package for stylis, a direct dependency of styled-components. Shipping it as a runtime dep to expose types to consumers is an established pattern for this package. | ai | |
| phantom-deps | phantom-dep:@types/stylis | AI (phantom-deps): @types/stylis is a type-only package used by convention for TypeScript consumers; not being directly imported in JS source is expected behavior. | ai | |
| dependencies | unvetted-dep:css-to-react-native | AI (dependencies): css-to-react-native is a well-known CSS parsing utility expected as a dependency for a CSS-in-JS library targeting React Native. Stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@emotion/is-prop-valid | AI (dependencies): @emotion/is-prop-valid is a well-known Emotion ecosystem utility for prop filtering. Its use in styled-components is documented and expected. Stable false positive for this package. | ai |
Versions (showing 20 of 20)
| Version | Deps | Published |
|---|---|---|
| 6.4.2 | 4 / 49 | |
| 6.4.1 | 4 / 49 | |
| 6.4.0 | 4 / 49 | |
| 6.3.12 | 9 / 51 | |
| 6.3.11 | 9 / 51 | |
| 6.3.10 | 9 / 51 | |
| 6.3.9 | 9 / 51 | |
| 6.3.8 | 9 / 51 | |
| 6.3.7 | 9 / 51 | |
| 6.3.6 | 9 / 51 | |
| 6.3.5 | 9 / 51 | |
| 6.3.4 | 9 / 51 | |
| 6.3.3 | 9 / 51 | |
| 6.3.2 | 9 / 51 | |
| 6.3.1 | 9 / 51 | |
| 6.3.0 | 9 / 51 | |
| 6.2.0 | 9 / 51 | |
| 6.1.19 | 9 / 47 | |
| 6.1.18 | 9 / 47 | |
| 6.1.2 | 9 / 47 |
v6.4.2
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.1.19
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.18
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.