← Home

parcel-bundler

npm Repository Homepage
2
Versions
License
Yes
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

devongovett

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:core-js AI (phantom-deps): core-js is a known runtime polyfill dependency; stable false positive for this package. ai
install-scripts install-script:postinstall AI (install-scripts): Postinstall only prints a donation message via console.log; no network calls or code execution risk. ai
semgrep semgrep:dynamic-require AI (semgrep): Bundler plugin loader pattern; dynamic require is core to parcel-bundler's extension system. ai
semgrep semgrep:child-process-import AI (semgrep): Used in RustAsset.js to invoke cargo/rustc for Rust compilation; expected for a bundler. ai
semgrep semgrep:new-function-constructor AI (semgrep): Used in HMR runtime to execute hot-reloaded modules; core bundler functionality. ai
semgrep semgrep:base64-decode AI (semgrep): Used to decode inline base64 source maps; standard source map handling. ai
phantom-deps phantom-dep:cssnano AI (phantom-deps): cssnano is listed as a runtime dependency in package.json; phantom-dep is a false positive here. ai

Versions (showing 2 of 2)

Version Deps Published
1.12.5 59 / 46
1.12.3 57 / 46

v1.12.5

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node -e "console.log('\u001b[35m\u001b[1mLove Parcel? You can now donate to our open collective:\u001b[22m\u001b[39m\n > \u001b[34mhttps://opencollective.com/parcel/donate\u001b[0m')"

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.12.3

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node -e "console.log('\u001b[35m\u001b[1mLove Parcel? You can now donate to our open collective:\u001b[22m\u001b[39m\n > \u001b[34mhttps://opencollective.com/parcel/donate\u001b[0m')"

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.