terser-webpack-plugin
Terser plugin for webpack
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Transition from individual maintainer to GitHub Actions CI/CD with SLSA provenance; standard for webpack org. | ai | |
| dependencies | unvetted-dep:@webpack-contrib/schema-utils | AI (dependencies): @webpack-contrib/schema-utils is a webpack-contrib org package consistent with this plugin's publisher and ecosystem; its use here is expected and contextually appropriate. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance; published by the established webpack-contrib org with strong track record. Stable false positive for this package. | ai | |
| dependencies | unvetted-dep:worker-farm | AI (dependencies): worker-farm is an established package for parallel task execution; appropriate for minifier plugin's worker pool management. | ai | |
| phantom-deps | phantom-dep:serialize-javascript | AI (phantom-deps): serialize-javascript is a declared runtime dependency used in compiled dist output; phantom detection is a false positive for transpiled packages. | ai | |
| phantom-deps | phantom-dep:@jridgewell/trace-mapping | AI (phantom-deps): @jridgewell/trace-mapping is a declared runtime dependency replacing source-map; phantom detection is a false positive for transpiled packages. | ai | |
| phantom-deps | phantom-dep:schema-utils | AI (phantom-deps): schema-utils is a declared runtime dependency used in compiled dist output; phantom detection is a false positive for transpiled packages. | ai | |
| phantom-deps | phantom-dep:terser | AI (phantom-deps): terser is a declared runtime dependency used in compiled dist output; phantom detection is a false positive for transpiled packages. | ai | |
| phantom-deps | phantom-dep:jest-worker | AI (phantom-deps): jest-worker is a declared runtime dependency used in compiled dist output; phantom detection is a false positive for transpiled packages. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Package ships compiled dist/ output; size drop is a diff artifact from source reorganization, not code removal or stubbing. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers (sokra, jhnns, ev1stensberg, etc.) are well-known webpack core contributors; this is a legitimate org-level addition, not a suspicious takeover. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase explained by vendoring serialize-javascript (removed as runtime dep) directly into dist via new build scripts; consistent with reducing dependency surface. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependencies are all established packages (cacache, find-cache-dir, is-wsl, source-map, webpack-sources, worker-farm) serving legitimate webpack plugin functions; no suspicious patterns. | ai | |
| dependencies | unvetted-dep:schema-utils | AI (dependencies): schema-utils is the standard webpack option validation library; its use is expected across all webpack plugin packages. | ai | |
| dependencies | unvetted-dep:jest-worker | AI (dependencies): jest-worker is used for parallel worker threads in webpack plugins; its use here is a well-established pattern in the webpack ecosystem. | ai | |
| dependencies | unvetted-dep:terser | AI (dependencies): terser is the core minifier this plugin wraps; its presence as a dependency is fundamental and expected for all versions of this package. | ai |
Versions (showing 51 of 89)
| Version | Deps | Published |
|---|---|---|
| 5.6.1 | 4 / 42 | |
| 5.6.0 | 4 / 42 | |
| 5.5.0 | 4 / 32 | |
| 5.4.0 | 4 / 32 | |
| 5.3.17 | 4 / 32 | |
| 5.3.16 | 5 / 42 | |
| 5.3.15 | 5 / 42 | |
| 5.3.14 | 5 / 33 | |
| 5.3.13 | 5 / 33 | |
| 5.3.12 | 5 / 33 | |
| 5.3.11 | 5 / 33 | |
| 5.3.10 | 5 / 33 | |
| 5.3.9 | 5 / 33 | |
| 5.3.8 | 5 / 33 | |
| 5.3.7 | 5 / 33 | |
| 5.3.6 | 5 / 31 | |
| 5.3.5 | 5 / 31 | |
| 5.3.4 | 5 / 31 | |
| 5.3.3 | 5 / 31 | |
| 5.3.2 | 5 / 31 | |
| 5.3.1 | 5 / 31 | |
| 5.3.0 | 5 / 31 | |
| 5.2.5 | 5 / 30 | |
| 5.2.4 | 6 / 30 | |
| 5.2.3 | 6 / 30 | |
| 5.2.2 | 6 / 30 | |
| 5.2.1 | 6 / 30 | |
| 5.2.0 | 6 / 30 | |
| 5.1.4 | 6 / 27 | |
| 5.1.3 | 6 / 27 | |
| 5.1.2 | 6 / 27 | |
| 5.1.1 | 6 / 28 | |
| 5.1.0 | 6 / 28 | |
| 5.0.3 | 6 / 28 | |
| 5.0.2 | 6 / 28 | |
| 5.0.1 | 6 / 26 | |
| 5.0.0 | 6 / 26 | |
| 4.2.3 | 9 / 26 | |
| 4.2.2 | 9 / 26 | |
| 4.2.1 | 9 / 26 | |
| 4.2.0 | 9 / 26 | |
| 4.1.0 | 9 / 26 | |
| 4.0.0 | 9 / 26 | |
| 3.1.0 | 9 / 26 | |
| 3.0.8 | 9 / 26 | |
| 3.0.7 | 9 / 25 | |
| 3.0.6 | 9 / 24 | |
| 3.0.5 | 9 / 23 | |
| 3.0.4 | 9 / 23 | |
| 3.0.3 | 9 / 23 | |
| 3.0.2 | 9 / 23 |
v5.6.1
2 findingsThis version was published by a different npm account than previous versions on 2026-05-27. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.6.0
2 findingsThis version was published by a different npm account than previous versions on 2026-05-08. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.