terser-webpack-plugin — Greenflagged

Terser plugin for webpack

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

evilebottnawisokrajhnns15000621931ev1stensberg__haiavivkeller

Keywords

uglifyuglify-jsuglify-esterserswcesbuildhtmlhtml-minifierhtml-minifier-tersercsscssnanocssoclean-csslightningcsswebpackwebpack-pluginminificationcompresscompressorminminificationminifierminifyoptimizeoptimizer

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from individual maintainer to GitHub Actions CI/CD with SLSA provenance; standard for webpack org.	ai	2026/05/29
dependencies	unvetted-dep:@webpack-contrib/schema-utils	AI (dependencies): @webpack-contrib/schema-utils is a webpack-contrib org package consistent with this plugin's publisher and ecosystem; its use here is expected and contextually appropriate.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance; published by the established webpack-contrib org with strong track record. Stable false positive for this package.	ai	2026/04/22
dependencies	unvetted-dep:worker-farm	AI (dependencies): worker-farm is an established package for parallel task execution; appropriate for minifier plugin's worker pool management.	ai	2026/04/22
phantom-deps	phantom-dep:serialize-javascript	AI (phantom-deps): serialize-javascript is a declared runtime dependency used in compiled dist output; phantom detection is a false positive for transpiled packages.	ai	2026/04/22
phantom-deps	phantom-dep:@jridgewell/trace-mapping	AI (phantom-deps): @jridgewell/trace-mapping is a declared runtime dependency replacing source-map; phantom detection is a false positive for transpiled packages.	ai	2026/04/22
phantom-deps	phantom-dep:schema-utils	AI (phantom-deps): schema-utils is a declared runtime dependency used in compiled dist output; phantom detection is a false positive for transpiled packages.	ai	2026/04/22
phantom-deps	phantom-dep:terser	AI (phantom-deps): terser is a declared runtime dependency used in compiled dist output; phantom detection is a false positive for transpiled packages.	ai	2026/04/22
phantom-deps	phantom-dep:jest-worker	AI (phantom-deps): jest-worker is a declared runtime dependency used in compiled dist output; phantom detection is a false positive for transpiled packages.	ai	2026/04/22
source-diff	source-size-dropped	AI (source-diff): Package ships compiled dist/ output; size drop is a diff artifact from source reorganization, not code removal or stubbing.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers (sokra, jhnns, ev1stensberg, etc.) are well-known webpack core contributors; this is a legitimate org-level addition, not a suspicious takeover.	ai	2026/04/22
source-diff	source-size-tripled	AI (source-diff): Size increase explained by vendoring serialize-javascript (removed as runtime dep) directly into dist via new build scripts; consistent with reducing dependency surface.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): New dependencies are all established packages (cacache, find-cache-dir, is-wsl, source-map, webpack-sources, worker-farm) serving legitimate webpack plugin functions; no suspicious patterns.	ai	2026/04/22
dependencies	unvetted-dep:schema-utils	AI (dependencies): schema-utils is the standard webpack option validation library; its use is expected across all webpack plugin packages.	ai	2026/04/21
dependencies	unvetted-dep:jest-worker	AI (dependencies): jest-worker is used for parallel worker threads in webpack plugins; its use here is a well-established pattern in the webpack ecosystem.	ai	2026/04/21
dependencies	unvetted-dep:terser	AI (dependencies): terser is the core minifier this plugin wraps; its presence as a dependency is fundamental and expected for all versions of this package.	ai	2026/04/21

Versions (showing 89 of 89)

Version	Deps	Published
5.6.1	4 / 42	2026-05-27
5.6.0	4 / 42	2026-05-08
5.5.0	4 / 32	2026-04-23
5.4.0	4 / 32	2026-03-10
5.3.17	4 / 32	2026-03-03
5.3.16	5 / 42	2025-12-11
5.3.15	5 / 42	2025-12-05
5.3.14	5 / 33	2025-03-06
5.3.13	5 / 33	2025-03-05
5.3.12	5 / 33	2025-02-27
5.3.11	5 / 33	2024-12-13
5.3.10	5 / 33	2023-12-28
5.3.9	5 / 33	2023-05-17
5.3.8	5 / 33	2023-05-06
5.3.7	5 / 33	2023-03-08
5.3.6	5 / 31	2022-08-29
5.3.5	5 / 31	2022-08-16
5.3.4	5 / 31	2022-08-12
5.3.3	5 / 31	2022-06-02
5.3.2	5 / 31	2022-06-02
5.3.1	5 / 31	2022-02-01
5.3.0	5 / 31	2021-12-16
5.2.5	5 / 30	2021-11-08
5.2.4	6 / 30	2021-09-09
5.2.3	6 / 30	2021-09-03
5.2.2	6 / 30	2021-09-03
5.2.1	6 / 30	2021-09-02
5.2.0	6 / 30	2021-08-31
5.1.4	6 / 27	2021-06-25
5.1.3	6 / 27	2021-05-31
5.1.2	6 / 27	2021-05-12
5.1.1	6 / 28	2021-01-09
5.1.0	6 / 28	2021-01-08
5.0.3	6 / 28	2020-10-28
5.0.2	6 / 28	2020-10-27
5.0.1	6 / 26	2020-10-23
5.0.0	6 / 26	2020-10-14
4.2.3	9 / 26	2020-10-07
4.2.2	9 / 26	2020-09-19
4.2.1	9 / 26	2020-09-15
4.2.0	9 / 26	2020-09-11
4.1.0	9 / 26	2020-08-10
4.0.0	9 / 26	2020-08-04
3.1.0	9 / 26	2020-08-03
3.0.8	9 / 26	2020-07-27
3.0.7	9 / 25	2020-07-16
3.0.6	9 / 24	2020-06-18
3.0.5	9 / 23	2020-06-15
3.0.4	9 / 23	2020-06-13
3.0.3	9 / 23	2020-06-03
3.0.2	9 / 23	2020-05-26
3.0.1	9 / 23	2020-05-06
3.0.0	9 / 23	2020-05-01
2.3.8	9 / 23	2020-08-12
2.3.7	9 / 23	2020-06-03
2.3.6	9 / 23	2020-04-25
2.3.5	9 / 25	2020-02-14
2.3.4	9 / 25	2020-01-30
2.3.3	9 / 25	2020-01-28
2.3.2	8 / 25	2020-01-09
2.3.1	8 / 25	2019-12-17
2.3.0	8 / 25	2019-12-12
2.2.3	8 / 25	2019-12-11
2.2.2	8 / 25	2019-12-06
2.2.1	8 / 25	2019-10-22
2.2.0	8 / 25	2019-10-22
2.1.3	8 / 25	2019-10-10
2.1.2	8 / 25	2019-09-28
2.1.1	8 / 25	2019-09-27
2.1.0	8 / 25	2019-09-16
2.0.1	8 / 25	2019-09-06
2.0.0	8 / 25	2019-09-05
1.4.6	9 / 25	2024-07-23
1.4.5	9 / 25	2020-08-12
1.4.4	9 / 25	2020-06-03
1.4.3	9 / 25	2019-12-11
1.4.2	9 / 25	2019-12-06
1.4.1	9 / 25	2019-07-31
1.4.0	10 / 25	2019-07-31
1.3.0	10 / 27	2019-05-24
1.2.4	9 / 25	2019-05-15
1.2.3	8 / 24	2019-02-25
1.2.2	8 / 25	2019-02-04
1.2.1	8 / 26	2018-12-27
1.2.0	8 / 26	2018-12-22
1.1.0	8 / 26	2018-09-14
1.0.2	8 / 27	2018-08-16
1.0.1	8 / 27	2018-08-15
1.0.0	8 / 27	2018-08-02

v5.6.1

2 findings

HIGH Publisher changed: evilebottnawi → GitHub Actions (on 2026-05-27) provenance

This version was published by a different npm account than previous versions on 2026-05-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.6.0

2 findings

HIGH Publisher changed: evilebottnawi → GitHub Actions (on 2026-05-08) provenance

This version was published by a different npm account than previous versions on 2026-05-08. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.5.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.