@rsbuild/core No license 22 versions

@rsbuild/core

npm Repository Homepage

22

Versions

—

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

chenjiahanhardfist

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:dist/506.js	AI (source-diff): Webpack bundle of known deps (http-proxy-middleware, memfs, etc.); expected for a build tool.	ai	2026/05/15
source-diff	net-exec-file:dist/58.js	AI (source-diff): Webpack bundle of known deps (postcss, http-proxy-middleware, etc.); expected for a build tool.	ai	2026/05/15
publish-pattern	dormant-publish	AI (publish-pattern): 409 versions over 940 days; CI-published with SLSA provenance — not a real dormancy signal.	ai	2026/05/15
semgrep	semgrep:env-bulk-read	AI (semgrep): Bundled debug library filtering DEBUG_ env vars; standard behavior.	ai	2026/04/29
semgrep	semgrep:eval-usage	AI (semgrep): eval('require')('debug') is standard webpack bundling pattern in compiled deps.	ai	2026/04/29
semgrep	semgrep:child-process-import	AI (semgrep): launch-editor-middleware legitimately needs child_process.	ai	2026/04/29
semgrep	semgrep:new-function-constructor	AI (semgrep): Standard dynamic import() polyfill pattern in bundled postcss-loader.	ai	2026/04/29
semgrep	semgrep:base64-decode	AI (semgrep): Minified compiled output; no malicious payload.	ai	2026/04/29
semgrep	semgrep:dynamic-require	AI (semgrep): PostCSS plugin loader using dynamic require; expected in build tooling.	ai	2026/04/29
typosquat	typosquat.levenshtein:cors	AI (typosquat): Scoped Rspack build tool is not a typosquat of the cors middleware package.	ai	2026/04/29

Versions (showing 22 of 22)

Version	Deps	Published
2.0.9	2 / 41	2026-05-30
2.0.8	2 / 41	2026-05-28
2.0.7	2 / 41	2026-05-21
2.0.6	2 / 41	2026-05-13
2.0.5	2 / 41	2026-05-07
2.0.4	2 / 41	2026-05-06
2.0.3	2 / 41	2026-04-28
2.0.2	2 / 41	2026-04-27
2.0.1	2 / 41	2026-04-24
2.0.0	2 / 41	2026-04-22
1.7.5	5 / 44	2026-03-30
1.6.10	5 / 44	2025-11-29
1.6.9	5 / 44	2025-11-25
1.6.8	5 / 44	2025-11-24
1.6.7	5 / 44	2025-11-18
1.6.6	5 / 44	2025-11-13
1.6.5	5 / 44	2025-11-13
1.6.4	5 / 44	2025-11-12
1.6.3	5 / 44	2025-11-07
1.6.2	5 / 44	2025-11-05
1.6.1	5 / 44	2025-11-03
1.6.0	5 / 44	2025-10-30

v2.0.9

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.8

2 findings

HIGH New file with network + code execution: dist/756.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.3

2 findings

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@rsbuild/core' is 1 edit(s) away from popular package 'cors'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.2

2 findings

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@rsbuild/core' is 1 edit(s) away from popular package 'cors'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.1

2 findings

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@rsbuild/core' is 1 edit(s) away from popular package 'cors'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.0

2 findings

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@rsbuild/core' is 1 edit(s) away from popular package 'cors'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.7.5

2 findings

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@rsbuild/core' is 1 edit(s) away from popular package 'cors'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.10

2 findings

HIGH New file with network + code execution: dist/131.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.9

2 findings

HIGH New file with network + code execution: dist/506.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.8

2 findings

HIGH New file with network + code execution: dist/506.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.7

2 findings

HIGH New file with network + code execution: dist/58.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.