@parcel/core — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

devongovett

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
typosquat	typosquat.levenshtein:cors	AI (typosquat): @parcel/core is the well-established Parcel bundler core package; Levenshtein match against 'cors' is purely coincidental and will never be a real typosquat signal for this scoped package.	ai	2026/04/24
semgrep	semgrep:env-spread	AI (semgrep): Parcel intentionally spreads process.env to pass environment variables to bundled code; this is a documented, core feature of the bundler, not a secret-leaking vulnerability.	ai	2026/04/23
semgrep	semgrep:hex-decode	AI (semgrep): Buffer.from(id, 'hex') is used to generate short base62 asset IDs — a well-known Parcel internal pattern, not payload obfuscation.	ai	2026/04/23
phantom-deps	phantom-dep:clone	AI (phantom-deps): Phantom dep in a large monorepo sub-package; indirect usage through the plugin system is expected.	ai	2026/04/23
phantom-deps	phantom-dep:@parcel/plugin	AI (phantom-deps): Same-org scoped package; declared for plugin API consumers, not a direct import in core itself.	ai	2026/04/23

Versions (showing 68 of 68)

Hide prereleases

Version	Deps	Published
2.16.4	25 / 4	2026-02-02
2.16.3	25 / 4	2025-12-06
2.16.2	25 / 4	2025-12-06
2.16.1	25 / 4	2025-11-05
2.16.0	25 / 4	2025-09-18
2.15.4	25 / 4	2025-06-20
2.15.3	25 / 4	2025-06-20
2.15.2	25 / 4	2025-05-25
2.15.1	25 / 4	2025-05-16
2.15.0	25 / 4	2025-05-12
2.14.4	25 / 4	2025-03-29
2.14.3	25 / 4	2025-03-29
2.14.2	25 / 4	2025-03-23
2.14.1	25 / 4	2025-03-19
2.14.0	25 / 4	2025-03-18
2.13.3	25 / 4	2024-12-16
2.13.2	25 / 4	2024-11-25
2.13.1	25 / 4	2024-11-25
2.13.0	25 / 4	2024-11-12
2.12.0	25 / 2	2024-02-28
2.11.0	25 / 2	2024-01-04
2.10.3	25 / 2	2023-11-15
2.10.2	25 / 2	2023-11-02
2.10.1	25 / 2	2023-10-24
2.10.0	25 / 2	2023-10-11
2.9.3	25 / 2	2023-06-25
2.9.2	25 / 2	2023-06-08
2.9.1	25 / 2	2023-05-27
2.9.0	25 / 2	2023-05-26
2.8.3	24 / 2	2023-01-18
2.8.2	24 / 2	2022-12-14
2.8.1	24 / 2	2022-12-08
2.8.0	24 / 2	2022-11-09
2.7.0	24 / 2	2022-08-03
2.6.2	24 / 2	2022-06-22
2.6.1	24 / 2	2022-06-17
2.6.0	24 / 2	2022-05-25
2.5.0	24 / 2	2022-04-21
2.4.1	24 / 2	2022-03-31
2.4.0	24 / 2	2022-03-22
2.3.2	24 / 2	2022-02-18
2.3.1	24 / 2	2022-02-10
2.3.0	24 / 2	2022-02-09
2.2.1	25 / 2	2022-01-17
2.2.0	25 / 2	2022-01-12
2.1.1	25 / 2	2022-01-06
2.1.0	25 / 2	2022-01-05
2.0.1	24 / 2	2021-11-08
2.0.0	24 / 2	2021-10-13
2.0.0-canary.1873	25 / 4	2026-02-03
2.0.0-canary.1871	25 / 4	2025-12-07
2.0.0-canary.1864	25 / 4	2025-11-06
2.0.0-canary.1862	25 / 4	2025-10-24
2.0.0-canary.1861	25 / 4	2025-09-19
2.0.0-canary.1859	25 / 4	2025-08-31
2.0.0-canary.1858	25 / 4	2025-06-21
2.0.0-canary.1851	25 / 4	2025-06-08
2.0.0-canary.1848	25 / 4	2025-05-29
2.0.0-canary.1847	25 / 4	2025-05-25
2.0.0-canary.1840	25 / 4	2025-05-21
2.0.0-canary.1835	25 / 4	2025-05-19
2.0.0-canary.1833	25 / 4	2025-05-17
2.0.0-canary.1831	25 / 4	2025-05-16
2.0.0-canary.1830	25 / 4	2025-05-13
2.0.0-canary.1824	25 / 4	2025-05-11
2.0.0-canary.1818	25 / 4	2025-05-11
2.0.0-canary.1817	25 / 4	2025-04-30
2.0.0-canary.1816	25 / 4	2025-04-28

v2.16.4

3 findings

HIGH env-spread: lib/resolveOptions.js:132 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/parcel-bundler/parcel/blob/59484858a1a0bcbb71f74088956bb437a2db6505/lib/resolveOptions.js#L132 130 | throw new Error('Lazy bundling does not work with content hashing'); 131 | } > 132 | let env = { 133 | ...(await (0, _loadDotEnv.default)(initialOptions.env ?? {}, inputFS, _path().default.join(projectRoot, 'index'), pr 134 | ...process.env,

HIGH env-spread: src/resolveOptions.js:148 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/parcel-bundler/parcel/blob/59484858a1a0bcbb71f74088956bb437a2db6505/src/resolveOptions.js#L148 146 | } 147 | > 148 | let env = { 149 | ...(await loadDotEnv( 150 | initialOptions.env ?? {},

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.16.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.16.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.16.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.16.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.15.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.15.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.15.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.15.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.15.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.14.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.14.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.14.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.14.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.14.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.13.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.13.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.13.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.13.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.12.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.11.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.10.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.10.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.10.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.10.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.9.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.9.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.9.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.9.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.8.3

3 findings

HIGH env-spread: lib/resolveOptions.js:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/parcel-bundler/parcel/blob/349a6caf40ec8abb6a49fcae0765f8f8deb2073d/lib/resolveOptions.js#L137 135 | } 136 | > 137 | let env = { ...(await (0, _loadDotEnv.default)((_initialOptions$env = initialOptions.env) !== null && _initialOptions$ 138 | ...process.env, 139 | ...initialOptions.env

HIGH env-spread: src/resolveOptions.js:113 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/parcel-bundler/parcel/blob/349a6caf40ec8abb6a49fcae0765f8f8deb2073d/src/resolveOptions.js#L113 111 | } 112 | > 113 | let env = { 114 | ...(await loadDotEnv( 115 | initialOptions.env ?? {},

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.8.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.8.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.8.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.7.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.6.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.6.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.4.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.3.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.3.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.2.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.2.0

2 findings

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@parcel/core' is 1 edit(s) away from popular package 'cors'.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.