mini-css-extract-plugin

extracts CSS into separate files

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

evilebottnawisokrajhnns

Keywords

webpackcssextracthmr

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
bogus-package	bogus-package	AI (bogus-package): mini-css-extract-plugin is a legitimate webpack-contrib package; signals (mass-production, no keywords, small entry point) are all false positives for this well-established plugin.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance; absence is expected for all historical versions of this package.	ai	2026/04/22
source-diff	obfuscated-file:dist/CssLoadingRuntimeModule.js	AI (source-diff): dist/ files are Babel-transpiled output from the build step; long lines are webpack runtime template strings, not obfuscation. This is expected for webpack plugin packages in the webpack-contrib org.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): tapable is the official webpack hook library from the same org; its addition as a direct dep is expected and benign for a webpack plugin.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): Package is under the webpack GitHub org; early contributors leaving is a normal org consolidation, not a takeover signal.	ai	2026/04/22
dependencies	unvetted-dep:tapable	AI (dependencies): tapable is a core webpack team utility and a standard dependency for all webpack plugins; no risk for this package.	ai	2026/04/21

Versions (showing 84 of 84)

Version	Deps	Published
2.10.2	2 / 32	2026-03-26
2.10.1	2 / 32	2026-03-10
2.10.0	2 / 44	2026-01-16
2.9.4	2 / 44	2025-08-11
2.9.3	2 / 35	2025-08-04
2.9.2	2 / 35	2024-11-01
2.9.1	2 / 35	2024-08-19
2.9.0	2 / 35	2024-04-16
2.8.1	2 / 35	2024-02-27
2.8.0	2 / 35	2024-02-01
2.7.7	1 / 35	2024-01-10
2.7.6	1 / 35	2023-05-19
2.7.5	1 / 35	2023-03-16
2.7.4	1 / 35	2023-03-16
2.7.3	1 / 35	2023-03-07
2.7.2	1 / 34	2022-12-06
2.7.1	1 / 34	2022-11-29
2.7.0	1 / 33	2022-11-16
2.6.1	1 / 33	2022-06-15
2.6.0	1 / 32	2022-03-03
2.5.3	1 / 32	2022-01-25
2.5.2	1 / 32	2022-01-17
2.5.1	1 / 32	2022-01-17
2.5.0	1 / 32	2022-01-14
2.4.7	1 / 31	2022-01-13
2.4.6	1 / 31	2022-01-06
2.4.5	1 / 31	2021-11-17
2.4.4	1 / 31	2021-11-04
2.4.3	1 / 31	2021-10-21
2.4.2	1 / 31	2021-10-07
2.4.1	1 / 31	2021-10-05
2.4.0	1 / 31	2021-10-05
2.3.0	1 / 31	2021-09-11
2.2.2	1 / 29	2021-09-01
2.2.1	1 / 29	2021-08-31
2.2.0	1 / 29	2021-08-04
2.1.0	1 / 29	2021-07-05
2.0.0	1 / 29	2021-06-30
1.6.2	3 / 29	2021-06-28
1.6.1	3 / 29	2021-06-25
1.6.0	3 / 29	2021-04-30
1.5.1	3 / 29	2021-04-28
1.5.0	3 / 29	2021-04-17
1.4.1	3 / 29	2021-04-07
1.4.0	3 / 29	2021-03-26
1.3.9	3 / 29	2021-02-25
1.3.8	3 / 30	2021-02-18
1.3.7	3 / 30	2021-02-15
1.3.6	3 / 30	2021-02-08
1.3.5	3 / 30	2021-01-28
1.3.4	3 / 30	2021-01-13
1.3.3	3 / 30	2020-12-10
1.3.2	3 / 29	2020-12-04
1.3.1	3 / 29	2020-11-12
1.3.0	3 / 29	2020-11-06
1.2.1	3 / 29	2020-10-27
1.2.0	3 / 29	2020-10-23
1.1.2	3 / 29	2020-10-22
1.1.1	3 / 29	2020-10-20
1.1.0	3 / 29	2020-10-19
1.0.0	4 / 28	2020-10-09
0.12.0	4 / 28	2020-10-07
0.11.3	4 / 28	2020-10-02
0.11.2	4 / 28	2020-09-12
0.11.1	4 / 28	2020-09-08
0.11.0	4 / 28	2020-08-27
0.10.1	4 / 28	2020-08-27
0.10.0	4 / 28	2020-08-10
0.9.0	4 / 30	2019-12-20
0.8.2	4 / 30	2019-12-17
0.8.1	4 / 30	2019-12-17
0.8.0	4 / 30	2019-07-16
0.7.0	4 / 30	2019-05-27
0.6.0	4 / 29	2019-04-10
0.5.0	3 / 29	2018-12-07
0.4.5	3 / 29	2018-11-21
0.4.4	3 / 29	2018-10-10
0.4.3	3 / 29	2018-09-18
0.4.2	3 / 29	2018-08-21
0.4.1	3 / 29	2018-06-29
0.4.0	2 / 20	2018-03-29
0.3.0	2 / 20	2018-03-28
0.2.0	2 / 18	2018-03-07
0.1.0	2 / 18	2018-03-04

v0.12.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.11.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.11.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.11.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.11.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.8.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.8.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.8.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.7.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.