webpack-dev-middleware — Greenflagged

A development middleware for webpack

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

15000621931ev1stensberg__haisokraavivkellerevilebottnawijhnnshiroppy

Keywords

webpackmiddlewaredevelopment

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Package transitioned to GitHub Actions CI/CD publishing with SLSA provenance attestation under the official webpack org. This is a legitimate and improved release practice, not a compromise.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers are consistent with the webpack organization's contributor base. Package has SLSA provenance and is published from the official webpack/webpack-dev-middleware repo.	ai	2026/04/23
dependencies	unvetted-dep:memfs	AI (dependencies): memfs is a well-known in-memory filesystem library that is a standard dependency of webpack-dev-middleware for serving compiled assets; its use is expected and appropriate for this package.	ai	2026/04/21
dependencies	unvetted-peer-dep:webpack	AI (dependencies): webpack is the canonical peer dependency for webpack-dev-middleware; this is expected and stable across all versions of this package.	ai	2026/04/21

Versions (showing 18 of 18)

Version	Deps	Published
8.0.3	5 / 37	2026-04-07
8.0.2	5 / 37	2026-03-24
8.0.1	5 / 37	2026-03-23
8.0.0	5 / 37	2026-03-20
7.4.5	6 / 50	2025-09-24
7.4.4	6 / 50	2025-09-23
7.4.3	6 / 52	2025-09-05
7.4.2	6 / 43	2024-08-21
7.4.1	6 / 43	2024-08-20
7.4.0	6 / 43	2024-08-19
7.3.0	6 / 44	2024-07-18
7.2.1	6 / 40	2024-04-02
7.2.0	6 / 40	2024-03-29
7.1.1	6 / 35	2024-03-21
7.1.0	6 / 35	2024-03-19
6.1.3	5 / 33	2024-03-29
6.1.2	5 / 33	2024-03-20
5.3.4	5 / 33	2024-03-20

v8.0.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.0.2

2 findings

HIGH Publisher changed: evilebottnawi → GitHub Actions (on 2026-03-24) provenance

This version was published by a different npm account than previous versions on 2026-03-24. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.0.1

2 findings

HIGH Publisher changed: evilebottnawi → GitHub Actions (on 2026-03-23) provenance

This version was published by a different npm account than previous versions on 2026-03-23. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.0.0

2 findings

HIGH Publisher changed: evilebottnawi → GitHub Actions (on 2026-03-20) provenance

This version was published by a different npm account than previous versions on 2026-03-20. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.