rolldown
Fast JavaScript/TypeScript bundler in Rust with Rollup-compatible API.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/shared/rolldown-build-CrPk_lZe.mjs | AI (source-diff): Bundled rolldown core build output; long lines expected from bundler. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-DYnaB1Nb.mjs | AI (source-diff): Bundled consola prompt code; long lines from bundler output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-DewH0PjV.mjs | AI (source-diff): Bundled consola prompt code with long lines; standard build output for this package. | ai | |
| source-diff | obfuscated-file:dist/shared/rolldown-build-9MccaWPU.mjs | AI (source-diff): Bundled rolldown build logic with long import lines; standard build output for this package. | ai | |
| source-diff | obfuscated-file:dist/shared/rolldown-build-BVD3dIdE.mjs | AI (source-diff): Bundled dist output with readable structure; standard for this build-tool package. | ai | |
| source-diff | obfuscated-file:dist/shared/rolldown-build-D_ShytiL.mjs | AI (source-diff): Bundled build output with readable structure; standard for this package's build pipeline. | ai | |
| provenance | no-provenance | AI (provenance): Established package with 21.6M weekly downloads and 620 versions; lack of provenance attestation is not a meaningful risk signal here. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): The dynamic require is loading a fixed 'package.json' file via path join — not user-controlled input. This is a stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/shared/consola.36c0034f-Xyw7SC_7.mjs | AI (source-diff): ESM variant of bundled consola library; readable, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared/consola.36c0034f-HcmWcfPe.cjs | AI (source-diff): Bundled [email protected] library output with readable code and region comments; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-hoPhcrA-.mjs | AI (source-diff): ESM variant of bundled consola prompt chunk; readable, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-9Ij3R3TG.cjs | AI (source-diff): Bundled consola prompt chunk; readable code with long lines from bundling, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-DGW8ZJmn.mjs | AI (source-diff): ESM variant of bundled consola prompt chunk; readable code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared/consola_36c0034f-_8_dG1Nr.cjs | AI (source-diff): Bundled consola library output; readable code with region comments, not obfuscation. Expected for a bundler tool. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-RFvZMmjc.cjs | AI (source-diff): Bundled consola prompt chunk; readable code, long lines from bundling not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared/consola_36c0034f-DWsVjwtA.mjs | AI (source-diff): ESM variant of bundled consola library; readable structured code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-uoOfg_gh.mjs | AI (source-diff): ESM variant of bundled consola prompt module; readable code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared/consola_36c0034f-ED9jtJgC.mjs | AI (source-diff): ESM variant of bundled [email protected]; readable code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared/consola_36c0034f-RVbq7gBJ.cjs | AI (source-diff): Bundled output of [email protected] library; readable code with source path comments, not obfuscation. Standard for a bundler's dist output. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-Q6AgPcFh.cjs | AI (source-diff): Bundled output of consola prompt module; readable code with source path comments, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared/consola_36c0034f-D9ce-831.mjs | AI (source-diff): ESM variant of bundled [email protected]; readable code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared/consola_36c0034f-B7L-radJ.cjs | AI (source-diff): Bundled [email protected] library output; readable code with region comments, not obfuscation. Standard for a bundler tool. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-BiXtYIJ2.cjs | AI (source-diff): Bundled consola prompt chunk; readable code with region comments, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-DlQ-08lk.mjs | AI (source-diff): ESM variant of bundled consola prompt chunk; readable code, not obfuscation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Rolldown bundles dependencies into dist/; file count growth is normal for this build tool package. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-9VjtYvi_.mjs | AI (source-diff): ESM variant of bundled consola prompt chunk; readable JS, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared/consola.36c0034f-eps_ogJv.cjs | AI (source-diff): Bundled consola library output; readable JS, not obfuscated. Standard for build tools shipping dist bundles. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-Ah5G71p-.cjs | AI (source-diff): Bundled consola prompt chunk; readable JS with long lines from bundling, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared/consola.36c0034f-m5cABVv4.mjs | AI (source-diff): ESM variant of bundled consola library; same readable code as CJS counterpart. | ai | |
| source-diff | obfuscated-file:dist/shared/consola.36c0034f-p4CNcyTx.cjs | AI (source-diff): Bundled consola library output, not obfuscated. Readable code with long lines from bundling. Standard for a bundler tool shipping pre-bundled CLI deps. | ai | |
| source-diff | obfuscated-file:dist/shared/consola.36c0034f-QyAKDJpW.mjs | AI (source-diff): ESM variant of bundled consola library. Same readable code, just ESM imports. Standard bundler output. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-LYk41n1z.mjs | AI (source-diff): ESM variant of bundled consola prompt chunk. Readable code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-vP5sHLso.cjs | AI (source-diff): Bundled consola prompt chunk, not obfuscated. Readable terminal escape sequence code from [email protected]. | ai | |
| source-diff | obfuscated-file:dist/shared/consola.36c0034f-N8xiTrv3.cjs | AI (source-diff): Bundled output of [email protected] logging library; readable code with long lines typical of bundler dist output. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-pjyLzLci.mjs | AI (source-diff): ESM variant of bundled consola prompt module; readable code, no suspicious patterns. | ai | |
| source-diff | obfuscated-file:dist/shared/consola.36c0034f-jtHhMkSX.mjs | AI (source-diff): ESM variant of bundled [email protected]; same readable code as CJS counterpart. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-1K6oCkIU.cjs | AI (source-diff): Bundled output of consola prompt module; readable code, no obfuscation, standard Node.js imports only. | ai | |
| source-diff | obfuscated-file:dist/shared/consola_36c0034f-5LhwiLE2.mjs | AI (source-diff): ESM variant of bundled consola dependency; readable code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-v8IJTptZ.cjs | AI (source-diff): Bundled consola prompt chunk into dist output; readable code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared/consola_36c0034f-WXb1k8ME.cjs | AI (source-diff): Bundled consola dependency into dist output; readable code, not obfuscated. Rolldown is a bundler that inlines deps. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-qKiYiowG.mjs | AI (source-diff): ESM variant of bundled consola prompt chunk; readable code, not obfuscated. | ai |
Versions (showing 24 of 24)
| Version | Deps | Published |
|---|---|---|
| 1.0.3 | 2 / 19 | |
| 1.0.2 | 2 / 19 | |
| 1.0.1 | 2 / 19 | |
| 1.0.0 | 2 / 19 | |
| 0.15.1 | 1 / 24 | |
| 0.15.0 | 1 / 24 | |
| 0.14.0 | 1 / 23 | |
| 0.13.2 | 1 / 22 | |
| 0.13.1 | 1 / 22 | |
| 0.13.0 | 1 / 22 | |
| 0.12.2 | 1 / 20 | |
| 0.12.1 | 1 / 20 | |
| 0.12.0 | 1 / 20 | |
| 0.11.1 | 1 / 20 | |
| 0.11.0 | 1 / 20 | |
| 0.10.5 | 6 / 15 | |
| 0.10.4 | 17 / 16 | |
| 0.10.3 | 12 / 21 | |
| 0.10.2 | 11 / 14 | |
| 0.10.1 | 10 / 11 | |
| 0.10.0 | 10 / 9 | |
| 0.9.2 | 10 / 9 | |
| 0.9.1 | 10 / 9 | |
| 0.3.0 | 10 / 0 |
v1.0.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.15.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.15.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.2
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.3
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.