copy-webpack-plugin — Greenflagged

Copy files && directories with webpack

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

evilebottnawisokrajhnns15000621931ev1stensberg__hai

Keywords

webpackplugintransfermovecopy

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:node-dir	AI (phantom-deps): node-dir is a legitimate runtime dependency for directory traversal; declared and used by the plugin.	ai	2026/04/22
phantom-deps	phantom-dep:fs-extra	AI (phantom-deps): fs-extra is a legitimate runtime dependency for file operations; declared and used by the plugin.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): Publisher change reflects documented transfer to webpack-contrib org; evilebottnawi is a known webpack-contrib maintainer with strong track record. Stable for this package.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): New deps (globby, cacache, is-glob, p-limit, etc.) are all well-known webpack/Node.js ecosystem packages, consistent with v4.x rewrite adding caching and improved glob support.	ai	2026/04/22
dependencies	unvetted-dep:bluebird	AI (dependencies): bluebird is a well-known, widely-used Promise library with no malicious history; flagging it as unvetted is a stable false positive for this package.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Provenance attestation is not yet widespread on npm; absence is not a security signal for established packages like copy-webpack-plugin.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): Original authors transferred the package to webpack-contrib org; removal is part of the documented legitimate handoff.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers are core webpack-contrib contributors (sokra=webpack author, evilebottnawi=long-standing webpack-contrib maintainer). Legitimate org transfer.	ai	2026/04/22
maintainer-change	maintainer-takeover	AI (maintainer-change): The webpack-contrib org takeover of copy-webpack-plugin from original authors is a well-documented, legitimate organizational transfer. sokra/evilebottnawi/jhnns are core webpack ecosystem maintainers.	ai	2026/04/22
dependencies	unvetted-dep:serialize-javascript	AI (dependencies): serialize-javascript is a well-known, widely-used npm package appropriate for webpack plugin use; not a security concern for this package.	ai	2026/04/21

Versions (showing 51 of 83)

View all versions

Version	Deps	Published
14.0.0	5 / 28	2026-03-02
13.0.1	5 / 40	2025-08-12
13.0.0	5 / 30	2025-02-27
12.0.2	6 / 30	2024-01-17
12.0.1	6 / 30	2024-01-11
12.0.0	6 / 30	2024-01-10
11.0.0	6 / 29	2022-05-17
10.2.4	6 / 29	2022-01-31
10.2.3	6 / 29	2022-01-29
10.2.2	6 / 29	2022-01-28
10.2.1	6 / 29	2022-01-20
10.2.0	6 / 29	2021-12-16
10.1.0	6 / 29	2021-12-10
10.0.0	6 / 25	2021-11-17
9.1.0	6 / 24	2021-11-11
9.0.1	7 / 24	2021-06-25
9.0.0	7 / 24	2021-05-21
8.1.1	7 / 24	2021-04-06
8.1.0	7 / 24	2021-03-22
8.0.0	7 / 25	2021-03-04
7.0.0	8 / 25	2020-12-10
6.4.1	11 / 26	2020-12-16
6.4.0	11 / 26	2020-12-07
6.3.2	11 / 26	2020-11-19
6.3.1	11 / 26	2020-11-13
6.3.0	11 / 26	2020-11-03
6.2.1	11 / 25	2020-10-09
6.2.0	11 / 25	2020-10-02
6.1.1	11 / 25	2020-09-18
6.1.0	11 / 25	2020-08-31
6.0.4	11 / 25	2020-08-29
6.0.3	11 / 25	2020-06-30
6.0.2	11 / 26	2020-06-03
6.0.1	11 / 25	2020-05-16
6.0.0	10 / 25	2020-05-15
5.1.2	12 / 27	2020-08-27
5.1.1	12 / 27	2019-12-12
5.1.0	12 / 27	2019-12-09
5.0.5	12 / 27	2019-11-06
5.0.4	12 / 27	2019-07-26
5.0.3	12 / 24	2019-04-24
5.0.2	11 / 24	2019-03-22
5.0.1	11 / 26	2019-03-11
5.0.0	10 / 26	2019-02-20
4.6.0	8 / 11	2018-10-31
4.5.4	8 / 11	2018-10-18
4.5.3	8 / 11	2018-10-10
4.5.2	8 / 11	2018-06-26
4.5.1	8 / 9	2018-03-09
4.5.0	8 / 9	2018-03-02
4.4.3	8 / 9	2018-03-01