webpack-bundle-analyzer MIT 23 versions

webpack-bundle-analyzer

npm Repository Homepage

Webpack plugin and CLI utility that represents bundle content as convenient interactive zoomable treemap

23

Versions

MIT

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

15000621931ev1stensberg__haisokraavivkellerevilebottnawibebrawvalscionth0rd3viant0ne

Keywords

webpackbundleanalyzermodulessizeinteractivecharttreemapzoomablezoom

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): th0r → valscion is a documented legitimate maintainer transition within the webpack-contrib org. valscion has 19 approved packages and no rejections; this is not a suspicious actor.	ai	2026/04/24
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy is explained by the maintainer transition from th0r to webpack-contrib/valscion. Package is under the official webpack-contrib GitHub org with no other risk signals.	ai	2026/04/24
semgrep	semgrep:new-function-constructor	AI (semgrep): new Function() is in the bundled FoamTree visualization library (public/viewer.js), a known third-party component. This is expected behavior for this visualization library, not a malware indicator.	ai	2026/04/24
phantom-deps	phantom-dep:filesize	AI (phantom-deps): filesize is explicitly declared as a runtime dependency in package.json; the phantom-dep finding is a false positive for this package.	ai	2026/04/24
dependencies	unvetted-dep:@discoveryjs/json-ext	AI (dependencies): json-ext is a known JSON streaming utility from the discoveryjs org; legitimate use for handling large bundle stats JSON.	ai	2026/04/21
dependencies	unvetted-dep:sirv	AI (dependencies): sirv is a well-known static file serving library; its use in webpack-bundle-analyzer for serving the analyzer UI is expected and legitimate.	ai	2026/04/21
phantom-deps	phantom-dep:escape-string-regexp	AI (phantom-deps): Minor packaging artifact — escape-string-regexp listed in deps but not directly imported. Not a security concern for this package.	ai	2026/04/21
dependencies	unvetted-dep:opener	AI (dependencies): opener is a well-known utility for opening URLs in the browser; standard use in CLI tools like webpack-bundle-analyzer.	ai	2026/04/21
dependencies	unvetted-dep:acorn-walk	AI (dependencies): acorn-walk is the official AST walker for acorn, a core JS parser; expected dependency for bundle analysis tooling.	ai	2026/04/21
dependencies	unvetted-dep:html-escaper	AI (dependencies): html-escaper is a well-known, minimal HTML escaping utility; legitimate use in generating the analyzer report HTML.	ai	2026/04/21

Versions (showing 23 of 23)

Version	Deps	Published
5.3.0	10 / 41	2026-03-25
5.2.0	11 / 45	2026-01-22
5.1.1	11 / 45	2026-01-07
5.1.0	11 / 45	2025-12-09
5.0.1	11 / 45	2025-11-19
5.0.0	11 / 44	2025-11-18
4.10.2	12 / 45	2024-04-11
4.10.1	13 / 45	2023-11-16
4.10.0	13 / 45	2023-11-14
4.9.1	17 / 45	2023-08-30
4.9.0	10 / 42	2023-06-01
4.8.0	10 / 42	2023-02-13
4.7.0	9 / 42	2022-10-26
4.6.1	9 / 42	2022-08-22
4.6.0	9 / 42	2022-08-19
4.5.0	9 / 42	2021-10-12
4.4.2	9 / 44	2021-05-17
4.4.1	9 / 44	2021-04-13
4.4.0	9 / 44	2021-01-21
4.3.0	9 / 43	2020-12-16
4.2.0	10 / 42	2020-11-30
4.1.0	12 / 42	2020-11-06
4.0.0	13 / 41	2020-11-06

v5.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.10.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.10.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.10.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.9.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.9.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.8.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.7.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.6.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.4.2

2 findings

HIGH Publisher changed: th0r → valscion (on 2021-05-17) provenance

This version was published by a different npm account than previous versions on 2021-05-17. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.4.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.