@types/webpack
TypeScript definitions for webpack
51
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
types
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| email-domain | unclaimed-email:https://github.com/tkqubo | AI (email-domain): The 'email' field contains a GitHub profile URL, not an actual email address. The analyzer misidentifies the URL domain as an unclaimed email domain. No real hijacking risk exists. | ai | |
| phantom-deps | phantom-dep:@types/webpack-dev-server | AI (phantom-deps): Type-only @types/* packages are loaded by convention in TypeScript projects, not directly imported. Standard pattern for DefinitelyTyped packages. | ai | |
| dependencies | unvetted-dep:@types/webpack-dev-server | AI (dependencies): @types/webpack-dev-server is a DefinitelyTyped package; its inclusion as a dep of @types/webpack is semantically correct for webpack devServer config types. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @types/webpack v5 correctly depends on webpack and tapable directly because webpack 5 ships its own types; this is the standard DefinitelyTyped graduation pattern. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size drop from 88KB to 1KB is expected: @types/webpack v5 is a thin re-export stub since webpack 5 ships its own bundled types. | ai | |
| phantom-deps | phantom-dep:webpack | AI (phantom-deps): webpack is a type-source dependency for a pure @types package; not directly imported in JS is expected and correct. | ai | |
| provenance | no-provenance | AI (provenance): Package is 3626 days old from the well-established DefinitelyTyped publisher; lack of Sigstore provenance is expected for packages of this age and lineage. | ai | |
| phantom-deps | phantom-dep:@types/tapable | AI (phantom-deps): @types/* packages are conventionally declared as deps but referenced via type declarations, not runtime imports. This is expected for DefinitelyTyped packages. | ai | |
| phantom-deps | phantom-dep:@types/anymatch | AI (phantom-deps): @types/* packages are conventionally declared as deps but referenced via type declarations, not runtime imports. This is expected for DefinitelyTyped packages. | ai | |
| phantom-deps | phantom-dep:@types/uglify-js | AI (phantom-deps): @types/* packages are conventionally declared as deps but referenced via type declarations, not runtime imports. This is expected for DefinitelyTyped packages. | ai | |
| phantom-deps | phantom-dep:@types/webpack-sources | AI (phantom-deps): @types/* packages are conventionally declared as deps but referenced via type declarations, not runtime imports. This is expected for DefinitelyTyped packages. | ai | |
| dependencies | unvetted-dep:@types/tapable | AI (dependencies): Standard DefinitelyTyped transitive type dependency; no runtime code, no security risk. | ai | |
| dependencies | unvetted-dep:@types/anymatch | AI (dependencies): Standard DefinitelyTyped transitive type dependency; no runtime code, no security risk. | ai | |
| dependencies | unvetted-dep:@types/uglify-js | AI (dependencies): Standard DefinitelyTyped transitive type dependency; no runtime code, no security risk. | ai | |
| dependencies | unvetted-dep:@types/webpack-sources | AI (dependencies): Standard DefinitelyTyped transitive type dependency; no runtime code, no security risk. | ai | |
| dependencies | unvetted-dep:tapable | AI (dependencies): @types/webpack legitimately depends on tapable for type re-exports; this is expected for a DefinitelyTyped package and stable across versions. | ai | |
| phantom-deps | phantom-dep:tapable | AI (phantom-deps): tapable is referenced in type definitions without direct import; normal pattern for type-only packages in DefinitelyTyped. | ai | |
| dependencies | unvetted-dep:webpack | AI (dependencies): @types/webpack must depend on webpack itself to re-export its types; this is the standard DefinitelyTyped pattern and stable across versions. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): @types/node is framework-scoped and loaded by convention in TypeScript projects; stable false positive for this package. | ai |
Versions (showing 51 of 174)
| Version | Deps | Published |
|---|---|---|
| 5.28.5 | 3 / 0 | |
| 5.28.4 | 3 / 0 | |
| 5.28.3 | 3 / 0 | |
| 5.28.2 | 3 / 0 | |
| 5.28.1 | 3 / 0 | |
| 5.28.0 | 3 / 0 | |
| 5.0.0 | 3 / 0 | |
| 4.41.40 | 6 / 0 | |
| 4.41.39 | 6 / 0 | |
| 4.41.38 | 6 / 0 | |
| 4.41.37 | 6 / 0 | |
| 4.41.36 | 6 / 0 | |
| 4.41.35 | 6 / 0 | |
| 4.41.34 | 6 / 0 | |
| 4.41.33 | 6 / 0 | |
| 4.41.32 | 6 / 0 | |
| 4.41.31 | 6 / 0 | |
| 4.41.30 | 6 / 0 | |
| 4.41.29 | 6 / 0 | |
| 4.41.28 | 6 / 0 | |
| 4.41.27 | 6 / 0 | |
| 4.41.26 | 6 / 0 | |
| 4.41.25 | 6 / 0 | |
| 4.41.24 | 6 / 0 | |
| 4.41.23 | 6 / 0 | |
| 4.41.22 | 6 / 0 | |
| 4.41.21 | 6 / 0 | |
| 4.41.20 | 6 / 0 | |
| 4.41.19 | 6 / 0 | |
| 4.41.18 | 6 / 0 | |
| 4.41.17 | 6 / 0 | |
| 4.41.16 | 6 / 0 | |
| 4.41.15 | 6 / 0 | |
| 4.41.14 | 6 / 0 | |
| 4.41.13 | 6 / 0 | |
| 4.41.12 | 6 / 0 | |
| 4.41.11 | 6 / 0 | |
| 4.41.10 | 6 / 0 | |
| 4.41.9 | 6 / 0 | |
| 4.41.8 | 6 / 0 | |
| 4.41.7 | 6 / 0 | |
| 4.41.6 | 6 / 0 | |
| 4.41.5 | 6 / 0 | |
| 4.41.4 | 6 / 0 | |
| 4.41.3 | 6 / 0 | |
| 4.41.2 | 6 / 0 | |
| 4.41.1 | 6 / 0 | |
| 4.41.0 | 6 / 0 | |
| 4.39.9 | 6 / 0 | |
| 4.39.8 | 6 / 0 | |
| 4.39.7 | 6 / 0 |
v4.41.4
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.