Is @ctrl/tinycolor safe to use?

@ctrl/tinycolor has no known vulnerabilities on the latest version (4.2.0). DepScope rates its health at 51/100 (high risk).

What is the latest version of @ctrl/tinycolor?

The latest version of @ctrl/tinycolor is 4.2.0, released 2025-09-16.

Does @ctrl/tinycolor have known vulnerabilities?

No known vulnerabilities on the latest version of @ctrl/tinycolor.

Is @ctrl/tinycolor deprecated?

No, @ctrl/tinycolor is actively maintained. Latest release: 4.2.0 (2025-09-16).

What are alternatives to @ctrl/tinycolor?

Popular alternatives to @ctrl/tinycolor in npm include: ?., ansi-styles, debug, brace-expansion, strip-ansi.

What license does @ctrl/tinycolor use?

@ctrl/tinycolor is licensed under MIT.

@ctrl/tinycolor

npmv4.2.0

Fast, small color manipulation and conversion for JavaScript

License MITpermissive49 versions1 maintainers0 deps

scttcper/tinycolor

/ 100

Health

do not use

Do not install. Package is flagged as malicious (advisory MAL-2025-47141).

Health breakdown0 – 100

10/25

maintenance

0/20

popularity

25/25

security

12/15

maturity

4/15

community

Vulnerabilities

none known

Bundle & TypeScript

📦

Bundle Size

17.0 KBminified

6.3 KB gzipped

0 direct dependencies

ESMscoped

🌟

TypeScript

10/10typed

bundled

⚠ Malicious package

This package is flagged as malicious by the OpenSSF/OSV community feed. Do not install.

Advisory: MAL-2025-47141 — Malicious code in @ctrl/tinycolor (npm)

Health History

Dependency Tree

License Audit

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/npm/@ctrl/tinycolor