@docusaurus/bundler — Greenflagged

Docusaurus util package to abstract the current bundler.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

fbslorberlex111docusaurus-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): Canary releases from established publishers often lack provenance; not a concern for this trusted monorepo package.	ai	2026/04/23
dependencies	unvetted-dep:babel-loader	AI (dependencies): babel-loader is a standard webpack loader; expected dependency for a bundler utility.	ai	2026/04/23
dependencies	unvetted-peer-dep:@docusaurus/faster	AI (dependencies): Optional peer dependency for Docusaurus framework; marked optional in peerDependenciesMeta.	ai	2026/04/22
source-diff	large-new-source-files	AI (source-diff): Bundler expansion with new build features; 21 files is expected for this package's scope.	ai	2026/04/22
source-diff	source-size-tripled	AI (source-diff): Size increase reflects legitimate bundler feature expansion, not injected code.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): 18 new deps are canonical build tools (webpack, babel, postcss, terser, etc.); expected for bundler package.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): Legitimate CI/CD transition from docusaurus-bot to GitHub Actions; SLSA provenance attestation confirms integrity.	ai	2026/04/22
dependencies	unvetted-dep:webpack	AI (dependencies): Webpack is a canonical, widely-trusted bundler; appropriate core dependency for this package.	ai	2026/04/22
phantom-deps	phantom-dep:clean-css	AI (phantom-deps): Bundler package; clean-css is referenced in webpack config, not direct import. Stable pattern for this package.	ai	2026/04/22
phantom-deps	phantom-dep:@babel/core	AI (phantom-deps): Framework-scoped package loaded by convention in bundler context. Stable pattern for this package.	ai	2026/04/22
phantom-deps	phantom-dep:cssnano	AI (phantom-deps): Bundler package; cssnano is referenced in webpack config, not direct import. Stable pattern for this package.	ai	2026/04/22
phantom-deps	phantom-dep:postcss	AI (phantom-deps): Bundler package; postcss is referenced in webpack config, not direct import. Stable pattern for this package.	ai	2026/04/22
phantom-deps	phantom-dep:url-loader	AI (phantom-deps): Bundler package; url-loader is referenced in webpack config, not direct import. Stable pattern for this package.	ai	2026/04/22
phantom-deps	phantom-dep:file-loader	AI (phantom-deps): Bundler package; file-loader is referenced in webpack config, not direct import. Stable pattern for this package.	ai	2026/04/22
phantom-deps	phantom-dep:@docusaurus/utils	AI (phantom-deps): Same-org scoped package in monorepo; loaded by convention. Stable pattern for this package.	ai	2026/04/22
bogus-package	bogus-package	AI (bogus-package): Internal Docusaurus monorepo package; 'fb' spam signal is false positive (Facebook org owner). README and keyword signals are expected for framework-internal utilities.	ai	2026/04/21

Versions (showing 14 of 14)

Hide prereleases

Version	Deps	Published
3.10.1	24 / 1	2026-04-30
3.10.0	24 / 1	2026-04-07
3.9.2	24 / 1	2025-10-17
3.9.1	24 / 1	2025-09-26
3.9.0	24 / 1	2025-09-25
3.8.1	24 / 1	2025-06-06
3.8.0	24 / 1	2025-05-27
3.7.0	25 / 1	2025-01-03
3.6.3	25 / 1	2024-11-22
3.6.2	25 / 1	2024-11-19
3.6.1	25 / 1	2024-11-08
3.6.0	25 / 1	2024-11-04
3.5.2	7 / 0	2024-09-19
3.8.1-canary-6388	24 / 1	2025-09-04

v3.10.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.0

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: docusaurus-bot → slorber (on 2025-09-25) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-25. This could indicate a legitimate maintainer transition or an account compromise.

v3.6.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.6.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.8.1-canary-6388

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: slorber → docusaurus-bot (on 2025-09-04) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-04. This could indicate a legitimate maintainer transition or an account compromise.