@angular-devkit/build-optimizer
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): New dependency is tslib, a well-known official TypeScript runtime helper library by Microsoft. Adding tslib is standard practice for Angular/TypeScript packages and poses no risk. | ai | |
| source-diff | obfuscated-file:src/purify/purify.js | AI (source-diff): Long lines are inline TypeScript sourcemaps (base64 data URIs), not obfuscation. Standard compiled TS output for this Angular DevKit build tool package. | ai | |
| source-diff | obfuscated-file:src/purify/webpack-plugin.js | AI (source-diff): Long lines are inline TypeScript sourcemaps (base64 data URIs), not obfuscation. Standard compiled TS output for this Angular DevKit build tool package. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance; published by the trusted angular publisher with a strong track record. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): google-wombot is Google's official automation bot used for Angular/Google npm packages; its addition is a routine, legitimate organizational change. | ai | |
| source-diff | obfuscated-file:third_party/github.com/Microsoft/TypeScript/lib/typescript.js | AI (source-diff): This is the official Microsoft TypeScript compiler (Apache 2.0) vendored under third_party/. Minified TypeScript compiler is expected in a build-optimizer package. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is entirely due to bundling the TypeScript compiler (~7.4MB) as a third-party dependency, which is legitimate for this build tooling package. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from angular to google-wombot reflects Google's documented migration to their automated publishing bot; this is a stable, legitimate organizational transition for all Angular DevKit packages. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy followed by google-wombot publish is consistent with Google's batch migration of Angular packages to automated publishing; not indicative of account takeover. | ai | |
| source-diff | obfuscated-file:src/build-optimizer/rollup-plugin.js | AI (source-diff): Long lines are due to inline base64 sourcemaps in compiled TypeScript output, not obfuscation. Standard Angular DevKit build artifact pattern. | ai | |
| source-diff | obfuscated-file:src/transforms/prefix-classes.js | AI (source-diff): Long line is a base64-encoded inline source map from TypeScript compilation, not obfuscation. Code is fully readable with Angular license headers. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:src/transforms/wrap-enums.js | AI (source-diff): Long line is a base64-encoded inline source map from TypeScript compilation, not obfuscation. Code is fully readable with Angular license headers. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:src/helpers/ast-utils.js | AI (source-diff): Long line is a base64-encoded inline source map from TypeScript compilation, not obfuscation. Code is fully readable with Angular license headers. Stable false positive for this package. | ai |
Versions (showing 100 of 277)
v0.1302.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1302.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1301.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1301.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1301.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: google-wombot.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1301.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1301.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1300.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1300.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1300.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1300.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1300.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1202.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1201.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1201.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1201.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1201.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1201.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1200.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1200.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1200.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1200.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1200.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1200.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.4
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-03-10. This could indicate a legitimate maintainer transition or an account compromise.
v0.1102.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-03-03. This could indicate a legitimate maintainer transition or an account compromise.
v0.1102.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-02-24. This could indicate a legitimate maintainer transition or an account compromise.
v0.1102.1
2 findingsThis version was published by a different npm account than previous versions on 2021-02-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1102.0
2 findingsThis version was published by a different npm account than previous versions on 2021-02-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1101.4
2 findingsThis version was published by a different npm account than previous versions on 2021-02-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1101.3
2 findingsThis version was published by a different npm account than previous versions on 2021-02-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1101.2
2 findingsThis version was published by a different npm account than previous versions on 2021-01-28. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1101.1
2 findingsThis version was published by a different npm account than previous versions on 2021-01-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1101.0
2 findingsThis version was published by a different npm account than previous versions on 2021-01-20. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1100.7
2 findingsThis version was published by a different npm account than previous versions on 2021-01-14. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1100.6
2 findingsThis version was published by a different npm account than previous versions on 2021-01-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1100.5
2 findingsThis version was published by a different npm account than previous versions on 2020-12-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1100.4
2 findingsThis version was published by a different npm account than previous versions on 2020-12-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1100.3
2 findingsThis version was published by a different npm account than previous versions on 2020-12-02. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1100.2
2 findingsThis version was published by a different npm account than previous versions on 2020-11-18. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1100.1
2 findingsThis version was published by a different npm account than previous versions on 2020-11-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1100.0
2 findingsThis version was published by a different npm account than previous versions on 2020-11-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1002.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-02-25. This could indicate a legitimate maintainer transition or an account compromise.
v0.1002.2
2 findingsThis version was published by a different npm account than previous versions on 2021-02-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1002.1
2 findingsThis version was published by a different npm account than previous versions on 2020-12-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1002.0
2 findingsThis version was published by a different npm account than previous versions on 2020-10-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1001.7
2 findingsThis version was published by a different npm account than previous versions on 2020-10-15. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1001.6
2 findingsThis version was published by a different npm account than previous versions on 2020-10-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1001.5
2 findingsThis version was published by a different npm account than previous versions on 2020-10-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1001.4
2 findingsThis version was published by a different npm account than previous versions on 2020-10-01. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1001.3
2 findingsThis version was published by a different npm account than previous versions on 2020-09-23. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1001.2
2 findingsThis version was published by a different npm account than previous versions on 2020-09-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1001.1
2 findingsThis version was published by a different npm account than previous versions on 2020-09-10. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1001.0
2 findingsThis version was published by a different npm account than previous versions on 2020-09-02. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1000.8
3 findingsThis version was published by a different npm account than previous versions on 2020-08-26. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1000.7
3 findingsThis version was published by a different npm account than previous versions on 2020-08-21. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1000.6
3 findingsThis version was published by a different npm account than previous versions on 2020-08-13. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1000.5
3 findingsThis version was published by a different npm account than previous versions on 2020-07-31. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1000.4
3 findingsThis version was published by a different npm account than previous versions on 2020-07-22. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1000.3
3 findingsThis version was published by a different npm account than previous versions on 2020-07-15. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1000.2
3 findingsThis version was published by a different npm account than previous versions on 2020-07-09. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1000.1
3 findingsThis version was published by a different npm account than previous versions on 2020-07-01. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1000.0
3 findingsThis version was published by a different npm account than previous versions on 2020-06-24. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.901.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.901.14
2 findingsThis version was published by a different npm account than previous versions on 2021-02-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.901.13
2 findingsThis version was published by a different npm account than previous versions on 2020-12-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.901.12
2 findingsThis version was published by a different npm account than previous versions on 2020-07-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.901.11
2 findingsThis version was published by a different npm account than previous versions on 2020-07-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.901.10
2 findingsThis version was published by a different npm account than previous versions on 2020-07-02. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.901.9
2 findingsThis version was published by a different npm account than previous versions on 2020-06-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.901.8
2 findingsThis version was published by a different npm account than previous versions on 2020-06-10. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.901.7
2 findingsThis version was published by a different npm account than previous versions on 2020-05-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.901.6
2 findingsThis version was published by a different npm account than previous versions on 2020-05-13. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.901.5
2 findingsThis version was published by a different npm account than previous versions on 2020-05-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.