@angular-devkit/build-angular

Angular Webpack Build Facade

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

angulargoogle-wombot

Keywords

Angular CLIAngular DevKitangulardevkitsdk

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:guess-parser	AI (dependencies): guess-parser is a legitimate Guess.js dependency used for Angular's predictive prefetching feature; stable usage across Angular CLI versions.	ai	2026/04/24
semgrep	semgrep:base64-decode	AI (semgrep): Used in Angular JIT plugin callbacks to decode template data passed through esbuild plugin boundaries — a documented Angular compiler mechanism, not malicious.	ai	2026/04/24
phantom-deps	phantom-dep:inquirer	AI (phantom-deps): inquirer is explicitly listed as a direct dependency in package.json and is used for interactive CLI prompts in Angular CLI tooling.	ai	2026/04/24
phantom-deps	phantom-dep:parse5-html-rewriting-stream	AI (phantom-deps): Declared dependency used for HTML processing; conditional loading is expected in this build tool.	ai	2026/04/24
semgrep	semgrep:child-process-import	AI (semgrep): Build tool that spawns dev servers and SSR processes; child_process usage is expected and documented for @angular-devkit/build-angular.	ai	2026/04/24
phantom-deps	phantom-dep:magic-string	AI (phantom-deps): Declared dependency used in build transforms; conditional loading is expected in this build tool.	ai	2026/04/24
phantom-deps	phantom-dep:watchpack	AI (phantom-deps): Declared dependency used via webpack integration; conditional loading is expected in this build tool.	ai	2026/04/24
phantom-deps	phantom-dep:critters	AI (phantom-deps): Declared dependency loaded conditionally for critical CSS extraction; expected pattern for this build tool.	ai	2026/04/24
phantom-deps	phantom-dep:mrmime	AI (phantom-deps): Declared dependency used via config/conditional loading in a complex build tool; phantom-dep pattern is expected for @angular-devkit/build-angular.	ai	2026/04/24
dependencies	unvetted-dep:critters	AI (dependencies): critters is a well-known CSS inlining library used by Angular CLI for critical CSS extraction; its use here is expected and documented.	ai	2026/04/24
phantom-deps	phantom-dep:https-proxy-agent	AI (phantom-deps): Declared dependency used for proxy configuration; conditional loading is expected in this build tool.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): tinyglobby is an established package replacing fast-glob; routine build tool dependency update.	ai	2026/04/23
phantom-deps	phantom-dep:@vitejs/plugin-basic-ssl	AI (phantom-deps): Referenced in config files; legitimate for a build tool.	ai	2026/04/23
dependencies	unvetted-dep:license-webpack-plugin	AI (dependencies): license-webpack-plugin is a standard build tool for license extraction; no security concerns.	ai	2026/04/23
dependencies	unvetted-dep:@angular/build	AI (dependencies): Co-released Angular CLI sibling package; unvetted status is a pipeline artifact of simultaneous release, not a real risk.	ai	2026/04/23
dependencies	unvetted-dep:@ngtools/webpack	AI (dependencies): Co-released Angular CLI sibling package; unvetted status is a pipeline artifact of simultaneous release.	ai	2026/04/23
dependencies	unvetted-dep:@angular-devkit/core	AI (dependencies): Co-released Angular DevKit sibling package; unvetted status is a pipeline artifact of simultaneous release.	ai	2026/04/23
dependencies	unvetted-dep:@angular-devkit/architect	AI (dependencies): Co-released Angular DevKit sibling package; unvetted status is a pipeline artifact of simultaneous release.	ai	2026/04/23
dependencies	unvetted-dep:@angular-devkit/build-webpack	AI (dependencies): Co-released Angular DevKit sibling package; unvetted status is a pipeline artifact of simultaneous release.	ai	2026/04/23
dependencies	unvetted-dep:karma-source-map-support	AI (dependencies): karma-source-map-support is a standard Karma test runner plugin; no security concerns.	ai	2026/04/23
dependencies	unvetted-dep:webpack-subresource-integrity	AI (dependencies): webpack-subresource-integrity is a standard security-enhancing webpack plugin; no security concerns.	ai	2026/04/23
dependencies	unvetted-dep:babel-loader	AI (dependencies): Standard build tooling dependency for a webpack-based build tool; stable for this package.	ai	2026/04/23
dependencies	unvetted-dep:webpack-merge	AI (dependencies): Standard webpack utility dependency; stable for this package.	ai	2026/04/23
phantom-deps	phantom-dep:open	AI (phantom-deps): Legitimate indirect dependency used by build tool for opening browser windows.	ai	2026/04/23
phantom-deps	phantom-dep:@babel/helper-annotate-as-pure	AI (phantom-deps): Framework-scoped package loaded by convention; stable for this package.	ai	2026/04/23
phantom-deps	phantom-dep:@babel/helper-split-export-declaration	AI (phantom-deps): Framework-scoped package loaded by convention; stable for this package.	ai	2026/04/23
phantom-deps	phantom-dep:picomatch	AI (phantom-deps): Referenced in config files; stable for this package.	ai	2026/04/23
phantom-deps	phantom-dep:semver	AI (phantom-deps): Referenced in config files; stable for this package.	ai	2026/04/23
phantom-deps	phantom-dep:tslib	AI (phantom-deps): Known implicit runtime dependency; stable for this package.	ai	2026/04/23
phantom-deps	phantom-dep:sass	AI (phantom-deps): Legitimate implicit dependency referenced in build config; stable for this package.	ai	2026/04/23
provenance	no-provenance	AI (provenance): Google's Angular CLI packages are published via google-wombot automation; lack of Sigstore provenance is consistent across all versions and not a risk indicator for this publisher.	ai	2026/04/23
semgrep	semgrep:new-function-constructor	AI (semgrep): Standard pattern for dynamic ESM imports in load-esm utility; stable for this package.	ai	2026/04/23
semgrep	semgrep:env-spread	AI (semgrep): Normal pattern for passing environment to child processes in SSR dev server; stable for this package.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Intentional dynamic require for loading server bundles in SSR rendering; legitimate for this build tool.	ai	2026/04/23

Versions (showing 51 of 165)

View all versions

Version	Deps	Published
21.2.13	54 / 0	2026-05-27
21.2.12	54 / 0	2026-05-20
21.2.11	54 / 0	2026-05-13
21.2.10	54 / 0	2026-05-06
21.2.9	54 / 0	2026-04-29
21.2.8	54 / 0	2026-04-22
21.2.7	54 / 0	2026-04-08
21.2.6	54 / 0	2026-04-01
21.2.5	54 / 0	2026-03-27
21.2.4	54 / 0	2026-03-26
21.2.3	54 / 0	2026-03-18
21.2.2	54 / 0	2026-03-11
21.2.1	54 / 0	2026-03-05
21.2.0	54 / 0	2026-02-25
21.1.5	54 / 0	2026-02-23
21.1.4	54 / 0	2026-02-11
21.1.3	54 / 0	2026-02-05
21.1.2	54 / 0	2026-01-28
21.1.1	54 / 0	2026-01-21
21.1.0	54 / 0	2026-01-14
21.0.6	54 / 0	2026-01-14
21.0.5	54 / 0	2026-01-07
21.0.4	54 / 0	2025-12-18
21.0.3	54 / 0	2025-12-10
21.0.2	54 / 0	2025-12-03
21.0.1	54 / 0	2025-11-26
21.0.0	54 / 0	2025-11-19
20.3.26	54 / 0	2026-05-13
20.3.25	54 / 0	2026-04-29
20.3.24	54 / 0	2026-04-15
20.3.23	54 / 0	2026-04-08
20.3.22	54 / 0	2026-03-27
20.3.21	54 / 0	2026-03-19
20.3.20	54 / 0	2026-03-11
20.3.19	54 / 0	2026-03-04
20.3.18	54 / 0	2026-02-26
20.3.17	54 / 0	2026-02-23
20.3.16	54 / 0	2026-02-09
20.3.15	54 / 0	2026-01-21
20.3.14	54 / 0	2026-01-07
20.3.13	54 / 0	2025-12-03
20.3.12	54 / 0	2025-11-25
20.3.11	54 / 0	2025-11-19
20.3.10	54 / 0	2025-11-12
20.3.9	54 / 0	2025-11-05
20.3.8	54 / 0	2025-10-29
20.3.7	54 / 0	2025-10-22
20.3.6	54 / 0	2025-10-15
20.3.5	54 / 0	2025-10-08
20.3.4	54 / 0	2025-10-02
20.3.3	54 / 0	2025-09-24