webpack-cli
CLI for webpack & friends
3
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
evilebottnawi15000621931ev1stensberg__haisokraavivkeller
Keywords
webpackcliscaffoldingmodulebundlerweb
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:webpack-merge | AI (phantom-deps): webpack-merge is a legitimate runtime dep used for config merging; dynamic loading pattern causes false phantom-dep detection. | ai | |
| phantom-deps | phantom-dep:@webpack-cli/info | AI (phantom-deps): First-party sub-package of the webpack-cli monorepo; loaded dynamically as a CLI sub-command. Not a phantom dependency. | ai | |
| phantom-deps | phantom-dep:@webpack-cli/serve | AI (phantom-deps): First-party sub-package of the webpack-cli monorepo; loaded dynamically as a CLI sub-command. Not a phantom dependency. | ai | |
| phantom-deps | phantom-dep:@webpack-cli/configtest | AI (phantom-deps): First-party sub-package of the webpack-cli monorepo; loaded dynamically as a CLI sub-command. Not a phantom dependency. | ai | |
| phantom-deps | phantom-dep:envinfo | AI (phantom-deps): envinfo is a legitimate runtime dep used by webpack-cli's info command; dynamic loading pattern causes false phantom-dep detection. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Intentional ESM interop pattern: new Function wraps a hardcoded import() call to enable dynamic ESM loading in CJS environments. Input is not user-controlled. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() wraps a dynamic import() call for loading user config files — a known CJS/ESM interop workaround in webpack-cli. Present in official source; not malicious. | ai | |
| dependencies | unvetted-dep:envinfo | AI (dependencies): envinfo is a well-known environment reporting utility; a standard and expected dependency for webpack-cli. | ai | |
| dependencies | unvetted-dep:webpack-merge | AI (dependencies): webpack-merge is a core webpack ecosystem utility for merging configs; a standard and expected dependency for webpack-cli. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is used to load the webpack peer dependency by package name constant — standard optional peer dep loading pattern in webpack-cli, not arbitrary code loading. | ai |
v7.0.3
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.