@rushstack/heft-web-rig

A rig package for web browser projects that build using Heft

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

rushstack-adminodspnpmoctogonzmicrosoft1es

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:@types/heft-jest	AI (phantom-deps): Framework-scoped type package used by convention in rig.	ai	2026/05/03
phantom-deps	phantom-dep:eslint	AI (phantom-deps): Rig package declares tools for consumers; not directly imported by design.	ai	2026/05/03
phantom-deps	phantom-dep:postcss	AI (phantom-deps): Rig package declares tools for consumers; not directly imported by design.	ai	2026/05/03
phantom-deps	phantom-dep:typescript	AI (phantom-deps): Rig package declares tools for consumers; not directly imported by design.	ai	2026/05/03
phantom-deps	phantom-dep:url-loader	AI (phantom-deps): Rig package declares tools for consumers; not directly imported by design.	ai	2026/05/03
phantom-deps	phantom-dep:@types/jest	AI (phantom-deps): Rig package declares tools for consumers; not directly imported by design.	ai	2026/05/03
phantom-deps	phantom-dep:terser-webpack-plugin	AI (phantom-deps): Rig package declares tools for consumers; not directly imported by design.	ai	2026/05/03
phantom-deps	phantom-dep:jest-environment-jsdom	AI (phantom-deps): Rig package declares tools for consumers; not directly imported by design.	ai	2026/05/03
semgrep	semgrep:dynamic-require	AI (semgrep): Reads package.json from user-supplied projectRoot in a webpack config helper; standard rig pattern, not arbitrary code loading.	ai	2026/05/03
phantom-deps	phantom-dep:@rushstack/heft-jest-plugin	AI (phantom-deps): Rig package declares plugins for consumers; not directly imported by design.	ai	2026/05/03
phantom-deps	phantom-dep:@rushstack/heft-lint-plugin	AI (phantom-deps): Rig package declares plugins for consumers; not directly imported by design.	ai	2026/05/03
phantom-deps	phantom-dep:@rushstack/heft-sass-plugin	AI (phantom-deps): Rig package declares plugins for consumers; not directly imported by design.	ai	2026/05/03
phantom-deps	phantom-dep:@rushstack/heft-webpack5-plugin	AI (phantom-deps): Rig package declares plugins for consumers; not directly imported by design.	ai	2026/05/03
phantom-deps	phantom-dep:@rushstack/heft-typescript-plugin	AI (phantom-deps): Rig package declares plugins for consumers; not directly imported by design.	ai	2026/05/03
phantom-deps	phantom-dep:@rushstack/heft-api-extractor-plugin	AI (phantom-deps): Rig package declares plugins for consumers; not directly imported by design.	ai	2026/05/03
phantom-deps	phantom-dep:@rushstack/heft-static-asset-typings-plugin	AI (phantom-deps): Rig package declares plugins for consumers; not directly imported by design.	ai	2026/05/03
phantom-deps	phantom-dep:@microsoft/api-extractor	AI (phantom-deps): Rig package declares tools for consumers; not directly imported by design.	ai	2026/05/03

Versions (showing 8 of 8)

Version	Deps	Published
1.4.20	29 / 1	2026-04-30
1.4.18	29 / 1	2026-04-20
1.4.16	29 / 1	2026-04-18
1.4.14	29 / 1	2026-04-15
1.4.13	29 / 1	2026-04-15
1.4.12	29 / 1	2026-04-14
1.4.11	29 / 1	2026-04-11
1.1.6	28 / 1	2025-11-04