fork-ts-checker-webpack-plugin
Runs typescript type checker and linter on separate process.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:vue-parser | AI (dependencies): fork-ts-checker-webpack-plugin explicitly supports Vue single-file components; vue-parser is a legitimate and expected dependency for this functionality across all versions. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is a best-practice enhancement, not a security requirement. Absence does not indicate malicious intent for an established, auditable open-source package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependencies (worker-rpc, @babel/code-frame) are established packages appropriate for TypeScript checker plugin. | ai | |
| phantom-deps | phantom-dep:minimatch | AI (phantom-deps): minimatch is a legitimate declared dependency used in config/indirect paths; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:worker-rpc | AI (dependencies): worker-rpc is a small, focused RPC library appropriate for this plugin's worker-process architecture. | ai | |
| phantom-deps | phantom-dep:resolve | AI (phantom-deps): Declared dependency used in config; already marked accepted risk. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 49 new files consistent with major version update to mature plugin; public repository is auditable. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Normal maintainer transition in established project; current publisher is original author with clean history. | ai | |
| phantom-deps | phantom-dep:@types/json-schema | AI (phantom-deps): Framework-scoped type package, loaded by convention in TypeScript projects. | ai | |
| dependencies | unvetted-dep:lodash.startswith | AI (dependencies): Small, stable lodash utility function; appropriate for this package's use case. | ai | |
| dependencies | unvetted-dep:lodash.endswith | AI (dependencies): Small, stable lodash utility function; appropriate for this package's use case. | ai | |
| dependencies | unvetted-dep:memfs | AI (dependencies): memfs is a legitimate in-memory filesystem used for testing; no security risk for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require(compiler) in VueProgram.js is a legitimate pattern for loading optional Vue compiler implementations with defensive try-catch. | ai | |
| dependencies | unvetted-dep:tapable | AI (dependencies): tapable is webpack's own hook/plugin system; its use is expected and appropriate for a webpack plugin. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is core to fork-ts-checker's documented function of spawning separate TypeScript checker processes; stable for this package. | ai | |
| dependencies | unvetted-dep:node-abort-controller | AI (dependencies): node-abort-controller is a legitimate AbortController polyfill; appropriate for a webpack plugin managing worker processes. | ai |
Versions (showing 100 of 159)
| Version | Deps | Published |
|---|---|---|
| 9.1.0 | 12 / 40 | |
| 9.0.3 | 12 / 40 | |
| 9.0.2 | 12 / 40 | |
| 9.0.1 | 12 / 40 | |
| 9.0.0 | 12 / 40 | |
| 8.0.0 | 12 / 40 | |
| 7.3.0 | 12 / 40 | |
| 7.2.14 | 12 / 40 | |
| 7.2.13 | 12 / 40 | |
| 7.2.12 | 11 / 40 | |
| 7.2.11 | 11 / 40 | |
| 7.2.10 | 11 / 40 | |
| 7.2.9 | 11 / 40 | |
| 7.2.8 | 11 / 40 | |
| 7.2.7 | 11 / 40 | |
| 7.2.6 | 11 / 40 | |
| 7.2.5 | 11 / 40 | |
| 7.2.4 | 11 / 40 | |
| 7.2.3 | 11 / 40 | |
| 7.2.2 | 11 / 40 | |
| 7.2.1 | 11 / 40 | |
| 7.2.0 | 11 / 40 | |
| 7.1.1 | 11 / 40 | |
| 7.1.0 | 11 / 40 | |
| 7.0.0 | 11 / 40 | |
| 6.5.3 | 13 / 41 | |
| 6.5.2 | 13 / 41 | |
| 6.5.1 | 13 / 41 | |
| 6.5.0 | 13 / 41 | |
| 6.4.2 | 13 / 41 | |
| 6.4.1 | 13 / 41 | |
| 6.4.0 | 13 / 41 | |
| 6.3.6 | 13 / 41 | |
| 6.3.5 | 13 / 41 | |
| 6.3.4 | 13 / 41 | |
| 6.3.3 | 13 / 41 | |
| 6.3.2 | 13 / 41 | |
| 6.3.1 | 13 / 41 | |
| 6.3.0 | 13 / 41 | |
| 6.2.13 | 13 / 41 | |
| 6.2.12 | 13 / 41 | |
| 6.2.11 | 13 / 41 | |
| 6.2.10 | 13 / 41 | |
| 6.2.9 | 13 / 41 | |
| 6.2.8 | 13 / 41 | |
| 6.2.7 | 13 / 41 | |
| 6.2.6 | 13 / 41 | |
| 6.2.5 | 12 / 41 | |
| 6.2.4 | 12 / 41 | |
| 6.2.3 | 12 / 41 | |
| 6.2.2 | 12 / 41 | |
| 6.2.1 | 12 / 41 | |
| 6.2.0 | 12 / 41 | |
| 6.1.1 | 12 / 41 | |
| 6.1.0 | 12 / 41 | |
| 6.0.8 | 12 / 41 | |
| 6.0.7 | 12 / 41 | |
| 6.0.6 | 12 / 41 | |
| 6.0.5 | 12 / 41 | |
| 6.0.4 | 12 / 41 | |
| 6.0.3 | 12 / 41 | |
| 6.0.2 | 12 / 41 | |
| 6.0.1 | 12 / 41 | |
| 6.0.0 | 12 / 41 | |
| 5.2.1 | 11 / 41 | |
| 5.2.0 | 11 / 39 | |
| 5.1.0 | 11 / 39 | |
| 5.0.14 | 11 / 39 | |
| 5.0.13 | 11 / 39 | |
| 5.0.12 | 11 / 39 | |
| 5.0.11 | 11 / 39 | |
| 5.0.10 | 11 / 39 | |
| 5.0.9 | 11 / 39 | |
| 5.0.8 | 10 / 40 | |
| 5.0.7 | 10 / 40 | |
| 5.0.6 | 10 / 40 | |
| 5.0.5 | 10 / 40 | |
| 5.0.4 | 10 / 40 | |
| 5.0.3 | 10 / 40 | |
| 5.0.2 | 10 / 40 | |
| 5.0.1 | 10 / 40 | |
| 5.0.0 | 10 / 40 | |
| 4.1.6 | 7 / 40 | |
| 4.1.5 | 7 / 40 | |
| 4.1.4 | 7 / 40 | |
| 4.1.3 | 7 / 40 | |
| 4.1.2 | 7 / 40 | |
| 4.1.1 | 7 / 40 | |
| 4.1.0 | 7 / 40 | |
| 4.0.5 | 7 / 40 | |
| 4.0.4 | 7 / 40 | |
| 4.0.3 | 7 / 40 | |
| 4.0.2 | 7 / 40 | |
| 4.0.1 | 7 / 41 | |
| 3.1.1 | 8 / 44 | |
| 3.1.0 | 8 / 43 | |
| 3.0.1 | 8 / 42 | |
| 3.0.0 | 8 / 42 | |
| 2.0.0 | 8 / 42 | |
| 1.6.0 | 8 / 42 |
v9.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.