← Home

gulp-uglify

npm Repository Homepage

Minify files with UglifyJS.

27
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

terinjokes

Keywords

gulpplugin

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern new-deps-added AI (publish-pattern): Dep swap is a documented gulp-util migration; all new deps are established packages with no malicious history. ai
phantom-deps phantom-dep:prettier AI (phantom-deps): Prettier is a dev formatting tool referenced in eslintConfig; not imported at runtime. Stable false positive for this package. ai
phantom-deps phantom-dep:eslint-config-xo AI (phantom-deps): ESLint config referenced only in eslintConfig section; not imported at runtime. Stable false positive for this package. ai
phantom-deps phantom-dep:eslint-plugin-unicorn AI (phantom-deps): ESLint plugin referenced only in eslintConfig section; not imported at runtime. Stable false positive for this package. ai
dependencies unvetted-dep:eslint-config-xo AI (dependencies): ESLint config package used for linting only; mistakenly placed in dependencies instead of devDependencies. Not a security risk for this package. ai
dependencies unvetted-dep:eslint-plugin-unicorn AI (dependencies): ESLint plugin used for linting only; mistakenly placed in dependencies instead of devDependencies. Not a security risk for this package. ai
dependencies unvetted-dep:eslint-plugin-prettier AI (dependencies): ESLint plugin used for linting only; mistakenly placed in dependencies instead of devDependencies. Not a security risk for this package. ai
phantom-deps phantom-dep:eslint-plugin-no-use-extend-native AI (phantom-deps): ESLint plugin referenced only in eslintConfig section; not imported at runtime. Stable false positive for this package. ai
phantom-deps phantom-dep:eslint-plugin-prettier AI (phantom-deps): ESLint plugin referenced only in eslintConfig section; not imported at runtime. Stable false positive for this package. ai
phantom-deps phantom-dep:eslint-config-prettier AI (phantom-deps): ESLint config referenced only in eslintConfig section; not imported at runtime. Stable false positive for this package. ai
phantom-deps phantom-dep:eslint AI (phantom-deps): ESLint is a dev linting tool referenced in eslintConfig; not imported at runtime. Stable false positive for this package. ai
dependencies unvetted-dep:eslint-plugin-no-use-extend-native AI (dependencies): ESLint plugin used for linting only; mistakenly placed in dependencies instead of devDependencies. Not a security risk for this package. ai
dependencies unvetted-dep:array-each AI (dependencies): array-each is a small, well-known utility package; no security concerns for this gulp plugin context. ai
dependencies unvetted-dep:has-gulplog AI (dependencies): has-gulplog is a standard Gulp ecosystem utility; no security concerns. ai
dependencies unvetted-dep:extend-shallow AI (dependencies): extend-shallow is a widely-used object merging utility; no security concerns for this package. ai
dependencies unvetted-dep:vinyl-sourcemaps-apply AI (dependencies): vinyl-sourcemaps-apply is a standard Gulp/Vinyl ecosystem package for sourcemap handling; no security concerns. ai
dependencies unvetted-dep:uglify-save-license AI (dependencies): uglify-save-license is a legitimate companion utility for preserving license comments during minification. ai
dependencies unvetted-dep:make-error-cause AI (dependencies): make-error-cause is a small, well-known error utility; no security concerns. ai
dependencies unvetted-dep:uglify-js AI (dependencies): uglify-js is the canonical JS minifier; core dependency of this package by design. ai
dependencies unvetted-dep:gulplog AI (dependencies): gulplog is a well-known Gulp ecosystem logging package; no security concerns. ai
provenance no-provenance AI (provenance): gulp-uglify predates Sigstore provenance by years; absence of attestation is expected for this package's age and publish history. ai

Versions (showing 27 of 27)

Version Deps Published
3.0.1 8 / 14
2.1.1 15 / 12
2.1.0 8 / 13
2.0.1 8 / 13
2.0.0 8 / 13
1.5.4 8 / 8
1.5.3 8 / 8
1.5.2 8 / 8
1.5.1 8 / 8
1.4.2 8 / 8
1.4.1 8 / 9
1.4.0 6 / 9
1.3.0 5 / 9
1.2.0 5 / 9
1.1.0 5 / 8
1.0.2 5 / 8
1.0.1 5 / 8
1.0.0 5 / 8
0.3.2 4 / 7
0.3.1 4 / 7
0.3.0 4 / 3
0.2.1 5 / 1
0.2.0 4 / 3
0.1.0 3 / 3
0.0.4 3 / 3
0.0.3 2 / 3
0.0.1 2 / 3

v3.0.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.