webpack-dev-server
Serves a webpack app. Updates the browser on changes.
4
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
15000621931ev1stensberg__haisokraavivkellerevilebottnawijhnnshiroppy
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:launch-editor | AI (dependencies): launch-editor is a well-known utility used by webpack-dev-server for its editor-open-on-error feature; stable legitimate dependency for this package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Child process import in CLI bin file is legitimate for a dev server tool that spawns processes. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): Child process spawn in CLI is expected behavior for webpack-dev-server's command execution. | ai | |
| phantom-deps | phantom-dep:@types/express | AI (phantom-deps): @types/* packages are TypeScript type definitions legitimately shipped as runtime deps for TS consumers; not directly require()d by design. | ai | |
| phantom-deps | phantom-dep:@types/serve-index | AI (phantom-deps): @types/* packages are TypeScript type definitions legitimately shipped as runtime deps for TS consumers; not directly require()d by design. | ai | |
| phantom-deps | phantom-dep:@types/serve-static | AI (phantom-deps): @types/* packages are TypeScript type definitions legitimately shipped as runtime deps for TS consumers; not directly require()d by design. | ai | |
| phantom-deps | phantom-dep:@types/express-serve-static-core | AI (phantom-deps): @types/* packages are TypeScript type definitions legitimately shipped as runtime deps for TS consumers; not directly require()d by design. | ai | |
| phantom-deps | phantom-dep:@types/ws | AI (phantom-deps): @types/* packages are TypeScript type definitions legitimately shipped as runtime deps for TS consumers; not directly require()d by design. | ai | |
| phantom-deps | phantom-dep:spdy | AI (phantom-deps): spdy is a legitimate HTTP/2 library used by webpack-dev-server for HTTPS/HTTP2 support; referenced in config/conditional code paths rather than a top-level import. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() is used to deserialize a user-configured overlay filter function string — a documented webpack-dev-server feature, not an external attack surface. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require uses require.resolve() to load a known package's package.json — standard Node.js pattern, not arbitrary code execution. Stable for this package. | ai | |
| phantom-deps | phantom-dep:@types/connect-history-api-fallback | AI (phantom-deps): @types/* packages are TypeScript type definitions legitimately shipped as runtime deps for TS consumers; not directly require()d by design. | ai | |
| phantom-deps | phantom-dep:@types/sockjs | AI (phantom-deps): @types/* packages are TypeScript type definitions legitimately shipped as runtime deps for TS consumers; not directly require()d by design. | ai | |
| phantom-deps | phantom-dep:@types/bonjour | AI (phantom-deps): @types/* packages are TypeScript type definitions legitimately shipped as runtime deps for TS consumers; not directly require()d by design. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 5.2.4 | 28 / 61 | |
| 5.2.3 | 28 / 61 | |
| 5.2.2 | 28 / 57 | |
| 5.2.1 | 28 / 57 |
v5.2.4
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.3
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.2.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.