@angular-devkit/build-optimizer
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): New dependency is tslib, a well-known official TypeScript runtime helper library by Microsoft. Adding tslib is standard practice for Angular/TypeScript packages and poses no risk. | ai | |
| source-diff | obfuscated-file:src/purify/purify.js | AI (source-diff): Long lines are inline TypeScript sourcemaps (base64 data URIs), not obfuscation. Standard compiled TS output for this Angular DevKit build tool package. | ai | |
| source-diff | obfuscated-file:src/purify/webpack-plugin.js | AI (source-diff): Long lines are inline TypeScript sourcemaps (base64 data URIs), not obfuscation. Standard compiled TS output for this Angular DevKit build tool package. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance; published by the trusted angular publisher with a strong track record. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): google-wombot is Google's official automation bot used for Angular/Google npm packages; its addition is a routine, legitimate organizational change. | ai | |
| source-diff | obfuscated-file:third_party/github.com/Microsoft/TypeScript/lib/typescript.js | AI (source-diff): This is the official Microsoft TypeScript compiler (Apache 2.0) vendored under third_party/. Minified TypeScript compiler is expected in a build-optimizer package. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is entirely due to bundling the TypeScript compiler (~7.4MB) as a third-party dependency, which is legitimate for this build tooling package. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from angular to google-wombot reflects Google's documented migration to their automated publishing bot; this is a stable, legitimate organizational transition for all Angular DevKit packages. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy followed by google-wombot publish is consistent with Google's batch migration of Angular packages to automated publishing; not indicative of account takeover. | ai | |
| source-diff | obfuscated-file:src/build-optimizer/rollup-plugin.js | AI (source-diff): Long lines are due to inline base64 sourcemaps in compiled TypeScript output, not obfuscation. Standard Angular DevKit build artifact pattern. | ai | |
| source-diff | obfuscated-file:src/transforms/prefix-classes.js | AI (source-diff): Long line is a base64-encoded inline source map from TypeScript compilation, not obfuscation. Code is fully readable with Angular license headers. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:src/transforms/wrap-enums.js | AI (source-diff): Long line is a base64-encoded inline source map from TypeScript compilation, not obfuscation. Code is fully readable with Angular license headers. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:src/helpers/ast-utils.js | AI (source-diff): Long line is a base64-encoded inline source map from TypeScript compilation, not obfuscation. Code is fully readable with Angular license headers. Stable false positive for this package. | ai |
Versions (showing 51 of 277)
| Version | Deps | Published |
|---|---|---|
| 0.1302.1 | 3 / 0 | |
| 0.1302.0 | 3 / 0 | |
| 0.1301.4 | 3 / 0 | |
| 0.1301.3 | 3 / 0 | |
| 0.1301.2 | 3 / 0 | |
| 0.1301.1 | 3 / 0 | |
| 0.1301.0 | 3 / 0 | |
| 0.1300.4 | 3 / 0 | |
| 0.1300.3 | 3 / 0 | |
| 0.1300.2 | 3 / 0 | |
| 0.1300.1 | 3 / 0 | |
| 0.1300.0 | 3 / 0 | |
| 0.1202.15 | 3 / 0 | |
| 0.1202.14 | 3 / 0 | |
| 0.1202.13 | 3 / 0 | |
| 0.1202.12 | 3 / 0 | |
| 0.1202.11 | 3 / 0 | |
| 0.1202.10 | 3 / 0 | |
| 0.1202.9 | 3 / 0 | |
| 0.1202.8 | 3 / 0 | |
| 0.1202.7 | 3 / 0 | |
| 0.1202.6 | 3 / 0 | |
| 0.1202.5 | 3 / 0 | |
| 0.1202.4 | 3 / 0 | |
| 0.1202.3 | 3 / 0 | |
| 0.1202.2 | 3 / 0 | |
| 0.1202.1 | 3 / 0 | |
| 0.1202.0 | 3 / 0 | |
| 0.1201.4 | 3 / 0 | |
| 0.1201.3 | 3 / 0 | |
| 0.1201.2 | 3 / 0 | |
| 0.1201.1 | 3 / 0 | |
| 0.1201.0 | 3 / 0 | |
| 0.1200.5 | 3 / 0 | |
| 0.1200.4 | 3 / 0 | |
| 0.1200.3 | 3 / 0 | |
| 0.1200.2 | 3 / 0 | |
| 0.1200.1 | 3 / 0 | |
| 0.1200.0 | 3 / 0 | |
| 0.1102.15 | 5 / 0 | |
| 0.1102.14 | 5 / 0 | |
| 0.1102.13 | 5 / 0 | |
| 0.1102.12 | 5 / 0 | |
| 0.1102.11 | 5 / 0 | |
| 0.1102.10 | 5 / 0 | |
| 0.1102.9 | 5 / 0 | |
| 0.1102.8 | 5 / 0 | |
| 0.1102.7 | 5 / 0 | |
| 0.1102.6 | 5 / 0 | |
| 0.1102.5 | 5 / 0 | |
| 0.1102.4 | 5 / 0 |
v0.1302.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1302.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1301.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1301.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1301.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: google-wombot.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1301.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1301.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1300.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1300.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1300.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1300.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1300.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1201.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1201.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1201.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1201.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1201.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1200.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1200.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1200.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1200.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1200.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1200.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.4
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-03-10. This could indicate a legitimate maintainer transition or an account compromise.