Skeletonic Stylus

Performance

Performance is a security control. Every byte not shipped is one fewer byte to audit, sign, and verify.

Supply-chain TL;DR

Control v2.0.0 status
CycloneDX SBOM Generated on every release, committed under dist/sbom.json
npm provenance Enabled (--provenance --access public)
Signed git tags SSH-signed by maintainer key
Pinned Dependabot Weekly bumps, autoreviewed
Size budgets size-limit 8 KB gzipped ceiling, fails CI on regression
Lint stylelint + a11y assertions on every push
CodeQL Enabled for javascript and config files
CVE-2023-44270 Patched via pnpm.overrides flushing postcss@7

CycloneDX SBOM

Every published tarball includes a CycloneDX SBOM at dist/sbom.json. You can verify a freshly installed package with:

pnpm add @sebastienrousseau/skeletonic-stylus@2.0.0
jq '.metadata.component.version' \
  node_modules/@sebastienrousseau/skeletonic-stylus/dist/sbom.json
# → "2.0.0"

The SBOM is generated with cyclonedx-npm during the publish workflow.

npm provenance

The published artefact is signed using npm package provenance.

You can verify it after installation with:

npm view @sebastienrousseau/skeletonic-stylus@2.0.0 --json | \
  jq '.dist."npm-signature"'

The signed attestation links the tarball back to the exact GitHub Actions run that produced it.

Known CVEs & patches

CVE Severity Status
CVE-2023-44270 (postcss line return parsing) Moderate Patched in v2.0.0 via pnpm.overrides upgrading postcss to ≥ 8.4.31

The Snyk advisory database and GitHub Security Advisories feed are monitored continuously. Security patches ship as patch-level releases.

Reporting a vulnerability

Please do not open a public GitHub issue for a security report. Instead, use the private channel at:

github.com/sebastienrousseau/skeletonic-stylus/security/advisories/new

Reports are acknowledged within 72 hours. Fixes ship within 14 days for moderate issues, 48 hours for critical ones.

Back to home → · Read the changelog →