@angular/build — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

angulargoogle-wombot

Keywords

Angular CLIAngular DevKitangularangular-clidevkitsdk

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:src/utils/index-file/auto-csp.js	AI (source-diff): auto-csp.js is a legitimate Angular build tool file implementing CSP header generation. The 'network+exec' pattern is a false positive — it's standard TypeScript compiled output for HTML processing, not malware.	ai	2026/04/24
dependencies	unvetted-dep:@angular-devkit/architect	AI (dependencies): @angular-devkit/architect is a first-party Angular DevKit package from the same Google/Angular org; not a real risk for this package.	ai	2026/04/23
publish-pattern	new-deps-added	AI (publish-pattern): rolldown replaces rollup (documented Angular CLI v21 migration); undici is a well-known Node.js HTTP client. Both are legitimate for this package.	ai	2026/04/23
phantom-deps	phantom-dep:source-map-support	AI (phantom-deps): source-map-support is a listed runtime dependency in package.json; phantom-dep finding is a false positive.	ai	2026/04/23
publish-pattern	dormant-publish	AI (publish-pattern): google-wombot publishes Angular major versions on long cycles; v21 is a planned major release, not indicative of account takeover.	ai	2026/04/23
semgrep	semgrep:env-spread	AI (semgrep): process.env spread into worker options is standard for build tool worker processes; not exfiltration.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require in a build tool for optional Bazel plugin loading; legitimate and already marked accepted risk.	ai	2026/04/23
typosquat	typosquat.levenshtein:esbuild	AI (typosquat): @angular/build is the official Angular build system from Google's Angular org; not a typosquat of esbuild.	ai	2026/04/23
typosquat	typosquat.levenshtein:uuid	AI (typosquat): @angular/build is the official Angular build system from Google's Angular org; not a typosquat of uuid.	ai	2026/04/23
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding is used for JIT template data in Angular's compiler pipeline; not a malicious payload.	ai	2026/04/23
semgrep	semgrep:new-function-constructor	AI (semgrep): new Function used as a well-known ESM dynamic import workaround in CJS contexts; standard pattern in Angular CLI.	ai	2026/04/23

Versions (showing 51 of 151)

View all versions

Version	Deps	Published
21.2.13	27 / 0	2026-05-27
21.2.12	27 / 0	2026-05-20
21.2.11	27 / 0	2026-05-13
21.2.10	27 / 0	2026-05-06
21.2.9	27 / 0	2026-04-29
21.2.8	27 / 0	2026-04-22
21.2.7	27 / 0	2026-04-08
21.2.6	27 / 0	2026-04-01
21.2.5	27 / 0	2026-03-27
21.2.4	27 / 0	2026-03-26
21.2.3	27 / 0	2026-03-18
21.2.2	27 / 0	2026-03-11
21.2.1	27 / 0	2026-03-05
21.2.0	27 / 0	2026-02-25
21.1.5	27 / 0	2026-02-23
21.1.4	27 / 0	2026-02-11
21.1.3	27 / 0	2026-02-05
21.1.2	27 / 0	2026-01-28
21.1.1	27 / 0	2026-01-21
21.1.0	27 / 0	2026-01-14
21.0.6	27 / 0	2026-01-14
21.0.5	27 / 0	2026-01-07
21.0.4	27 / 0	2025-12-18
21.0.3	27 / 0	2025-12-10
21.0.2	27 / 0	2025-12-03
21.0.1	27 / 0	2025-11-26
21.0.0	27 / 0	2025-11-19
20.3.26	26 / 0	2026-05-13
20.3.25	26 / 0	2026-04-29
20.3.24	26 / 0	2026-04-15
20.3.23	26 / 0	2026-04-08
20.3.22	26 / 0	2026-03-27
20.3.21	26 / 0	2026-03-19
20.3.20	26 / 0	2026-03-11
20.3.19	26 / 0	2026-03-04
20.3.18	26 / 0	2026-02-26
20.3.17	26 / 0	2026-02-23
20.3.16	26 / 0	2026-02-09
20.3.15	26 / 0	2026-01-21
20.3.14	26 / 0	2026-01-07
20.3.13	26 / 0	2025-12-03
20.3.12	26 / 0	2025-11-25
20.3.11	26 / 0	2025-11-19
20.3.10	26 / 0	2025-11-12
20.3.9	26 / 0	2025-11-05
20.3.8	26 / 0	2025-10-29
20.3.7	26 / 0	2025-10-22
20.3.6	26 / 0	2025-10-15
20.3.5	26 / 0	2025-10-08
20.3.4	26 / 0	2025-10-02
20.3.3	26 / 0	2025-09-24