@angular-devkit/build-webpack
3
Versions
—
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
angulargoogle-wombot
Keywords
Angular CLIAngular DevKitangulardevkitsdk
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:css-loader | AI (phantom-deps): css-loader is a webpack loader referenced in build config files, not directly imported. Standard pattern for Angular build tooling. | ai | |
| phantom-deps | phantom-dep:exports-loader | AI (phantom-deps): exports-loader is a webpack loader referenced in build config files, not directly imported. Standard pattern for Angular build tooling. | ai | |
| phantom-deps | phantom-dep:postcss-loader | AI (phantom-deps): Optional webpack loader for PostCSS; standard pattern for Angular build tooling. | ai | |
| phantom-deps | phantom-dep:sass-loader | AI (phantom-deps): Optional webpack loader for CSS preprocessing; standard pattern for Angular build tooling. | ai | |
| phantom-deps | phantom-dep:style-loader | AI (phantom-deps): Optional webpack loader; standard pattern for Angular build tooling. | ai | |
| phantom-deps | phantom-dep:stylus-loader | AI (phantom-deps): Optional webpack loader for CSS preprocessing; standard pattern for Angular build tooling. | ai | |
| phantom-deps | phantom-dep:less | AI (phantom-deps): Optional CSS preprocessor dependency; build tools list these for conditional use based on project config, not direct import. | ai | |
| phantom-deps | phantom-dep:stylus | AI (phantom-deps): Optional CSS preprocessor dependency; standard pattern for Angular build tooling. | ai | |
| phantom-deps | phantom-dep:node-sass | AI (phantom-deps): Optional CSS preprocessor dependency; standard pattern for Angular build tooling. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): Utility library referenced in config/build files; phantom detection is a false positive for this build tool package. | ai | |
| phantom-deps | phantom-dep:request | AI (phantom-deps): HTTP utility used conditionally in build tooling; phantom detection is a false positive here. | ai | |
| phantom-deps | phantom-dep:less-loader | AI (phantom-deps): Optional webpack loader for CSS preprocessing; standard pattern for Angular build tooling. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Build tooling legitimately uses child_process to fork webpack/build processes. This is expected behavior for @angular-devkit/build-webpack across all versions. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used as a standard ESM dynamic import() workaround in CJS context within Angular CLI build tooling. Input is a developer-controlled config path, not external user input. Stable pattern across Angular CLI versions. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require() loads developer-specified webpack config files — expected behavior for a build tool. No security risk in this context. | ai |
v0.0.6
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.5
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.