webpack-stats-plugin
Webpack stats plugin
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Established package predating provenance support; publisher is long-trusted. Stable FP for this package. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher moved from personal account (ryan.roemer) to org account (formidablelabs) — both belong to Formidable Labs, consistent with repo URL and author field. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are Formidable Labs team members; normal org team rotation. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removed maintainers are former Formidable Labs team members; normal org team rotation. | ai |
Versions (showing 23 of 23)
| Version | Deps | Published |
|---|---|---|
| 1.1.3 | 0 / 20 | |
| 1.1.2 | 0 / 20 | |
| 1.1.1 | 0 / 18 | |
| 1.1.0 | 0 / 18 | |
| 1.0.3 | 0 / 17 | |
| 1.0.2 | 0 / 17 | |
| 1.0.1 | 0 / 17 | |
| 1.0.0 | 0 / 17 | |
| 0.3.2 | 0 / 14 | |
| 0.3.1 | 0 / 14 | |
| 0.3.0 | 0 / 14 | |
| 0.2.1 | 0 / 14 | |
| 0.2.0 | 0 / 7 | |
| 0.1.5 | 0 / 5 | |
| 0.1.4 | 0 / 5 | |
| 0.1.3 | 0 / 5 | |
| 0.1.2 | 0 / 5 | |
| 0.1.1 | 0 / 5 | |
| 0.1.0 | 0 / 5 | |
| 0.0.4 | 0 / 5 | |
| 0.0.3 | 0 / 4 | |
| 0.0.2 | 0 / 4 | |
| 0.0.1 | 0 / 4 |
v1.1.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.1.2
2 findingsThis version was published by a different npm account than previous versions on 2023-06-02. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
2 findingsMaintainer email '[email protected]' uses domain 'michaelmerrill.io' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.