@rspack/dev-server
Development server for Rspack
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/0~serve-static.js | AI (source-diff): Webpack-bundled dependency output with license headers; not obfuscated. | ai | |
| phantom-deps | phantom-dep:@rspack/dev-middleware | AI (phantom-deps): Same-org dep declared in dependencies; re-exported or used transitively. | ai | |
| phantom-deps | phantom-dep:http-proxy-middleware | AI (phantom-deps): http-proxy-middleware is a declared runtime dep used indirectly through webpack-dev-server. | ai | |
| phantom-deps | phantom-dep:ws | AI (phantom-deps): ws is a declared runtime dependency; phantom-dep fires because it's used indirectly via webpack-dev-server internals. | ai | |
| provenance | publisher-changed | AI (provenance): hardfist is a known rspack org maintainer with extensive track record (2275 approved). Legitimate team member publishing. | ai | |
| dependencies | unvetted-dep:launch-editor | AI (dependencies): launch-editor is a well-known utility used by Vue CLI, webpack-dev-server, and similar tools. Legitimate dependency for a dev server. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Flagged maintainers (hardfist, chenjiahan) are known Bytedance/web-infra-dev contributors to the rspack ecosystem — not spam publishers. | ai | |
| source-diff | net-exec-file:client/modules/sockjs-client/index.js | AI (source-diff): This is a bundled sockjs-client UMD module — a standard client-side transport library. Network calls and dynamic module loading are expected in this context. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase reflects internalizing webpack-dev-server's dependencies rather than delegating to it — a legitimate architectural refactor. | ai | |
| phantom-deps | phantom-dep:@types/bonjour | AI (phantom-deps): TypeScript type declarations; loaded by TS compiler, not runtime imports. | ai | |
| phantom-deps | phantom-dep:spdy | AI (phantom-deps): Conditionally required at runtime for HTTPS/HTTP2 support, same pattern as webpack-dev-server. | ai | |
| phantom-deps | phantom-dep:@types/ws | AI (phantom-deps): TypeScript type declarations; loaded by TS compiler, not runtime imports. | ai | |
| phantom-deps | phantom-dep:@types/sockjs | AI (phantom-deps): TypeScript type declarations; loaded by TS compiler, not runtime imports. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() is used to deserialize overlay filter functions from URL-encoded strings, a known pattern in webpack/rspack dev server overlay feature. | ai | |
| phantom-deps | phantom-dep:@types/express | AI (phantom-deps): TypeScript type declarations; loaded by TS compiler, not runtime imports. | ai | |
| phantom-deps | phantom-dep:@types/serve-index | AI (phantom-deps): TypeScript type declarations; loaded by TS compiler, not runtime imports. | ai | |
| phantom-deps | phantom-dep:@types/serve-static | AI (phantom-deps): TypeScript type declarations; loaded by TS compiler, not runtime imports. | ai | |
| phantom-deps | phantom-dep:@types/express-serve-static-core | AI (phantom-deps): TypeScript type declarations; loaded by TS compiler, not runtime imports. | ai | |
| phantom-deps | phantom-dep:@types/connect-history-api-fallback | AI (phantom-deps): TypeScript type declarations; loaded by TS compiler, not runtime imports. | ai | |
| phantom-deps | phantom-dep:ansi-html-community | AI (phantom-deps): Used by client overlay module for HTML rendering; referenced indirectly through bundled client code. | ai |
Versions (showing 100 of 116)
| Version | Deps | Published |
|---|---|---|
| 2.0.3 | 1 / 36 | |
| 2.0.2 | 1 / 36 | |
| 2.0.1 | 1 / 36 | |
| 2.0.0 | 1 / 36 | |
| 1.2.1 | 28 / 43 | |
| 1.2.0 | 28 / 43 | |
| 1.1.5 | 5 / 36 | |
| 1.1.4 | 5 / 39 | |
| 1.1.3 | 5 / 39 | |
| 1.1.2 | 5 / 39 | |
| 1.1.1 | 8 / 37 | |
| 1.1.0 | 8 / 37 | |
| 1.0.10 | 9 / 38 | |
| 1.0.9 | 9 / 38 | |
| 1.0.8 | 9 / 38 | |
| 1.0.7 | 9 / 38 | |
| 1.0.6 | 9 / 21 | |
| 1.0.5 | 9 / 21 | |
| 1.0.4 | 9 / 15 | |
| 1.0.3 | 8 / 9 | |
| 1.0.2 | 8 / 9 | |
| 1.0.1 | 8 / 9 | |
| 1.0.0 | 8 / 9 | |
| 0.7.5 | 8 / 7 | |
| 0.7.4 | 8 / 7 | |
| 0.7.3 | 8 / 7 | |
| 0.7.2 | 8 / 7 | |
| 0.7.1 | 8 / 7 | |
| 0.7.0 | 8 / 7 | |
| 0.6.5 | 8 / 7 | |
| 0.6.4 | 8 / 7 | |
| 0.6.3 | 8 / 7 | |
| 0.6.2 | 8 / 7 | |
| 0.6.1 | 8 / 7 | |
| 0.6.0 | 8 / 7 | |
| 0.5.9 | 8 / 7 | |
| 0.5.8 | 8 / 7 | |
| 0.5.7 | 8 / 7 | |
| 0.5.6 | 8 / 7 | |
| 0.5.5 | 8 / 7 | |
| 0.5.4 | 8 / 8 | |
| 0.5.3 | 8 / 8 | |
| 0.5.2 | 8 / 8 | |
| 0.5.1 | 10 / 8 | |
| 0.5.0 | 10 / 8 | |
| 0.4.5 | 10 / 8 | |
| 0.4.4 | 10 / 8 | |
| 0.4.3 | 10 / 8 | |
| 0.4.2 | 10 / 8 | |
| 0.4.1 | 10 / 8 | |
| 0.4.0 | 10 / 8 | |
| 0.3.14 | 10 / 8 | |
| 0.3.13 | 10 / 8 | |
| 0.3.12 | 10 / 8 | |
| 0.3.11 | 11 / 7 | |
| 0.3.10 | 11 / 7 | |
| 0.3.9 | 11 / 7 | |
| 0.3.8 | 11 / 7 | |
| 0.3.7 | 11 / 7 | |
| 0.3.6 | 11 / 7 | |
| 0.3.5 | 11 / 7 | |
| 0.3.4 | 11 / 7 | |
| 0.3.3 | 11 / 7 | |
| 0.3.2 | 11 / 7 | |
| 0.3.1 | 11 / 7 | |
| 0.3.0 | 11 / 7 | |
| 0.2.12 | 11 / 7 | |
| 0.2.11 | 11 / 7 | |
| 0.2.10 | 11 / 7 | |
| 0.2.9 | 11 / 7 | |
| 0.2.8 | 11 / 7 | |
| 0.2.7 | 11 / 7 | |
| 0.2.6 | 11 / 7 | |
| 0.2.5 | 11 / 7 | |
| 0.2.4 | 11 / 7 | |
| 0.2.3 | 11 / 7 | |
| 0.2.2 | 11 / 7 | |
| 0.2.1 | 11 / 7 | |
| 0.2.0 | 11 / 7 | |
| 0.1.12 | 10 / 6 | |
| 0.1.11 | 10 / 7 | |
| 0.1.10 | 10 / 7 | |
| 0.1.9 | 10 / 7 | |
| 0.1.8 | 10 / 7 | |
| 0.1.7 | 10 / 7 | |
| 0.1.6 | 10 / 8 | |
| 0.1.5 | 9 / 8 | |
| 0.1.4 | 9 / 8 | |
| 0.1.3 | 9 / 8 | |
| 0.1.2 | 9 / 8 | |
| 0.1.1 | 9 / 8 | |
| 0.1.0 | 9 / 8 | |
| 0.0.26 | 9 / 8 | |
| 0.0.25 | 9 / 8 | |
| 0.0.24 | 9 / 8 | |
| 0.0.23 | 9 / 8 | |
| 0.0.22 | 9 / 9 | |
| 0.0.21 | 9 / 8 | |
| 0.0.20 | 9 / 6 | |
| 0.0.19 | 9 / 6 |
v2.0.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.4
2 findingsThis version was published by a different npm account than previous versions on 2025-08-05. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.2
2 findingsThis version was published by a different npm account than previous versions on 2025-05-20. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-03-13. This could indicate a legitimate maintainer transition or an account compromise.
v1.0.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.7
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-09-25. This could indicate a legitimate maintainer transition or an account compromise.
v1.0.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.