webpack
Packs ECMAScript/CommonJs/AMD modules for the browser. Allows you to split your codebase into multiple bundles, which can be loaded on demand. Supports loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:schemas/plugins/dll/DllReferencePlugin.check.js | AI (source-diff): Auto-generated schema validator; header comment documents generation. Stable pattern for webpack. | ai | |
| npm-metadata | url-dep:tooling | AI (npm-metadata): webpack/tooling is the project's own dev tooling repo; pinned to a tag. devDep only. | ai | |
| phantom-deps | phantom-dep:clone | AI (phantom-deps): clone is a declared runtime dependency; phantom-dep false positive for this package. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() is in a benchmark fixture file with a hardcoded benign string; not production code and not a security risk for this package. | ai | |
| dependencies | unvetted-dep:base64-encode | AI (dependencies): base64-encode is a simple utility dependency used by the canonical webpack package published by its original author; no meaningful risk for this package. | ai | |
| dependencies | unvetted-dep:enhanced-require | AI (dependencies): enhanced-require was a legitimate early webpack dependency; expected for this vintage (0.4.x era) of the package. | ai | |
| phantom-deps | phantom-dep:file-loader | AI (phantom-deps): Webpack references loaders in config files; phantom deps are expected for this architecture. | ai | |
| phantom-deps | phantom-dep:css-loader | AI (phantom-deps): Webpack references loaders in config files; phantom deps are expected for this architecture. | ai | |
| phantom-deps | phantom-dep:jade-loader | AI (phantom-deps): Webpack references loaders in config files; phantom deps are expected for this architecture. | ai | |
| phantom-deps | phantom-dep:json-loader | AI (phantom-deps): Webpack references loaders in config files; phantom deps are expected for this architecture. | ai | |
| phantom-deps | phantom-dep:less-loader | AI (phantom-deps): Webpack references loaders in config files; phantom deps are expected for this architecture. | ai | |
| phantom-deps | phantom-dep:style-loader | AI (phantom-deps): Webpack references loaders in config files; phantom deps are expected for this architecture. | ai | |
| phantom-deps | phantom-dep:bundle-loader | AI (phantom-deps): Webpack references loaders in config files; phantom deps are expected for this architecture. | ai | |
| phantom-deps | phantom-dep:raw-loader | AI (phantom-deps): Webpack references loaders in config files; phantom deps are expected for this architecture. | ai | |
| phantom-deps | phantom-dep:val-loader | AI (phantom-deps): Webpack references loaders in config files; phantom deps are expected for this architecture. | ai | |
| phantom-deps | phantom-dep:coffee-loader | AI (phantom-deps): Webpack references loaders in config files; phantom deps are expected for this architecture. | ai | |
| phantom-deps | phantom-dep:script-loader | AI (phantom-deps): Webpack references loaders in config files; phantom deps are expected for this architecture. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): evilebottnawi is a known webpack ecosystem contributor; addition is consistent with the webpack team's known membership and not a suspicious takeover. | ai | |
| provenance | publisher-changed | AI (provenance): thelarkinn (Sean Larkin) is a documented, long-standing webpack core team member. The sokra→thelarkinn transition is a known legitimate handoff within the webpack organization. | ai | |
| semgrep | semgrep:child-process-exec | AI (semgrep): exec() calls appear only in example build scripts demonstrating webpack CLI usage; not part of the runtime library. | ai | |
| provenance | no-provenance | AI (provenance): Provenance is not yet standard practice; absence is not a security signal for established packages. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 35 new files correspond to WebAssembly module support added in webpack 4.x — a documented, expected feature expansion for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New @webassemblyjs/* deps are webpack's documented WASM support; json-parse-better-errors is a well-known utility. All are legitimate additions for webpack 4.x feature development. | ai | |
| dependencies | unvetted-dep:uglifyjs-webpack-plugin | AI (dependencies): uglifyjs-webpack-plugin is a legitimate minifier plugin; expected dependency for webpack. | ai | |
| bogus-package | bogus-package | AI (bogus-package): False positive; sokra maintains multiple legitimate webpack-related packages; no keywords is common for CLI tools. | ai | |
| phantom-deps | phantom-dep:acorn | AI (phantom-deps): acorn is used for parsing; phantom dependency is expected for bundler configuration. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): webpack's DotenvPlugin intentionally spreads process.env as its core functionality — making env vars available to builds. Not exfiltration. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): DotenvPlugin enumerates process.env keys by design to merge .env file values with environment variables. Expected behavior for a dotenv plugin. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() in a Proxy handler is idiomatic JavaScript for transparent property forwarding — standard config normalization pattern, not obfuscation. | ai | |
| phantom-deps | phantom-dep:@types/json-schema | AI (phantom-deps): @types/* packages are legitimately in webpack's runtime deps as they are re-exported as part of webpack's public TypeScript API surface. | ai | |
| phantom-deps | phantom-dep:loader-utils | AI (phantom-deps): loader-utils is used in config; phantom dependency is expected for bundler configuration. | ai | |
| phantom-deps | phantom-dep:@types/estree | AI (phantom-deps): @types/estree is a TypeScript type declaration package used for type checking; not a runtime import. Framework-scoped phantom dep is expected. | ai | |
| phantom-deps | phantom-dep:@types/eslint-scope | AI (phantom-deps): @types/eslint-scope is a TypeScript type declaration package; not a runtime import. Framework-scoped phantom dep is expected. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding in ConcatenatedModule is a legitimate bundler optimization for export name encoding. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding in AssetGenerator.js is used to handle data URIs and asset content — core webpack functionality, not malicious. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require() is webpack's documented mechanism for loading user-configured compilers based on file extension; stable legitimate pattern for this package. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): Child process spawning is webpack's documented CLI delegation pattern; not a malware indicator. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function('return this') in buildin/global.js is a well-known pattern for detecting the global object in bundled browser code. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process wrapper is appropriate for a build tool that may spawn processes. | ai |
Versions (showing 100 of 372)
| Version | Deps | Published |
|---|---|---|
| 5.107.2 | 23 / 88 | |
| 5.107.1 | 23 / 88 | |
| 5.107.0 | 23 / 88 | |
| 5.106.1 | 25 / 88 | |
| 5.106.0 | 25 / 88 | |
| 5.105.4 | 25 / 87 | |
| 5.105.3 | 25 / 87 | |
| 5.105.2 | 25 / 86 | |
| 5.105.1 | 25 / 86 | |
| 5.105.0 | 25 / 79 | |
| 5.104.1 | 25 / 87 | |
| 4.47.0 | 23 / 53 | |
| 4.46.0 | 23 / 53 | |
| 4.45.0 | 23 / 53 | |
| 4.44.2 | 23 / 53 | |
| 4.44.1 | 23 / 53 | |
| 4.44.0 | 23 / 53 | |
| 4.43.0 | 23 / 53 | |
| 4.42.1 | 23 / 53 | |
| 4.42.0 | 23 / 52 | |
| 4.41.6 | 23 / 52 | |
| 4.41.5 | 23 / 52 | |
| 4.41.4 | 23 / 50 | |
| 4.41.3 | 23 / 50 | |
| 4.41.2 | 23 / 50 | |
| 4.41.1 | 23 / 50 | |
| 4.41.0 | 23 / 50 | |
| 4.40.3 | 23 / 50 | |
| 4.40.2 | 23 / 50 | |
| 4.40.1 | 23 / 50 | |
| 4.40.0 | 23 / 50 | |
| 4.39.3 | 23 / 50 | |
| 4.39.2 | 23 / 50 | |
| 4.39.1 | 23 / 50 | |
| 4.39.0 | 23 / 50 | |
| 4.38.0 | 23 / 52 | |
| 4.37.0 | 23 / 52 | |
| 4.36.1 | 23 / 52 | |
| 4.36.0 | 23 / 52 | |
| 4.35.3 | 23 / 51 | |
| 4.35.2 | 24 / 51 | |
| 4.35.1 | 24 / 51 | |
| 4.35.0 | 24 / 51 | |
| 4.34.0 | 24 / 50 | |
| 4.33.0 | 24 / 50 | |
| 4.32.2 | 24 / 50 | |
| 4.32.1 | 24 / 50 | |
| 4.32.0 | 24 / 50 | |
| 4.31.0 | 24 / 50 | |
| 4.30.0 | 24 / 50 | |
| 4.29.6 | 24 / 50 | |
| 4.29.5 | 24 / 49 | |
| 4.29.4 | 24 / 49 | |
| 4.29.3 | 24 / 49 | |
| 4.29.2 | 24 / 49 | |
| 4.29.1 | 24 / 50 | |
| 4.29.0 | 24 / 50 | |
| 4.28.4 | 24 / 50 | |
| 4.28.3 | 24 / 50 | |
| 4.28.2 | 24 / 50 | |
| 4.28.1 | 24 / 50 | |
| 4.28.0 | 24 / 50 | |
| 4.27.1 | 24 / 50 | |
| 4.27.0 | 24 / 50 | |
| 4.26.1 | 24 / 50 | |
| 4.26.0 | 24 / 50 | |
| 4.25.1 | 24 / 50 | |
| 4.25.0 | 24 / 50 | |
| 4.24.0 | 24 / 49 | |
| 4.23.1 | 24 / 49 | |
| 4.23.0 | 24 / 49 | |
| 4.22.0 | 24 / 49 | |
| 4.21.0 | 24 / 49 | |
| 4.20.2 | 24 / 50 | |
| 4.20.1 | 24 / 50 | |
| 4.20.0 | 24 / 50 | |
| 4.19.1 | 24 / 49 | |
| 4.19.0 | 24 / 49 | |
| 4.18.1 | 24 / 49 | |
| 4.18.0 | 24 / 49 | |
| 4.17.3 | 25 / 49 | |
| 4.17.2 | 25 / 49 | |
| 4.17.1 | 25 / 49 | |
| 4.17.0 | 25 / 49 | |
| 4.16.5 | 25 / 49 | |
| 4.16.4 | 25 / 49 | |
| 4.16.3 | 25 / 49 | |
| 4.16.2 | 25 / 49 | |
| 4.16.1 | 25 / 49 | |
| 4.16.0 | 25 / 49 | |
| 4.15.1 | 25 / 49 | |
| 4.15.0 | 25 / 49 | |
| 4.14.0 | 25 / 48 | |
| 4.13.0 | 25 / 48 | |
| 4.12.2 | 25 / 48 | |
| 4.12.1 | 25 / 48 | |
| 4.12.0 | 25 / 46 | |
| 4.11.1 | 25 / 46 | |
| 4.11.0 | 25 / 46 | |
| 4.10.2 | 24 / 46 |
v5.107.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.107.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.107.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.25.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.25.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.24.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.23.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.22.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.21.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.20.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.20.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.20.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.19.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.19.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.18.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.17.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.17.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.17.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.16.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.16.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.16.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.16.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.16.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.15.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.12.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.