← Home

webpackbar

npm Repository Homepage

Elegant ProgressBar and Profiler for Webpack and Rspack

7
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

atinuxpi0clarkdo

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff source-size-tripled AI (source-diff): Size increase reflects switching from source-only to shipping pre-built CJS+ESM bundles via unbuild. Legitimate modernization, not injected payload. ai
source-diff obfuscated-file:dist/index.cjs AI (source-diff): dist/index.cjs is a standard unbuild/rollup bundle output. Long lines are an artifact of bundling, not obfuscation. Code is readable and uses known deps. ai
source-diff obfuscated-file:dist/index.mjs AI (source-diff): dist/index.mjs is a standard ESM bundle output from unbuild. Same rationale as index.cjs — bundled, not obfuscated. ai
email-domain unclaimed-email:nuxt.ir AI (email-domain): pi0 (Pooya Parsa) is the well-known Nuxt.js core maintainer; nuxt.ir is a vanity domain used by the Nuxt team. Package is hosted under the official nuxt GitHub org with a strong track record. ai
phantom-deps phantom-dep:loader-utils AI (phantom-deps): loader-utils is legitimately declared and used indirectly through webpack loader configuration; common pattern in webpack tooling. ai
phantom-deps phantom-dep:schema-utils AI (phantom-deps): schema-utils is legitimately declared and used indirectly through webpack plugin configuration; stable for this package. ai
source-diff obfuscated-file:dist/shared/webpackbar.e03748fc.cjs AI (source-diff): Standard unbuild-generated CJS bundle with readable code; long lines are typical minified dist output, not obfuscation. Stable for this package. ai
source-diff obfuscated-file:dist/shared/webpackbar.88114b33.mjs AI (source-diff): Standard unbuild-generated ESM bundle with readable code; long lines are typical minified dist output, not obfuscation. Stable for this package. ai
publish-pattern new-deps-added AI (publish-pattern): markdown-table is a well-known, benign utility replacing text-table; the swap is a legitimate modernization for this profiler/progress-bar package. ai
dependencies unvetted-dep:pretty-time AI (dependencies): pretty-time is a stable, well-known utility for formatting time values; its use in webpackbar for build time display is expected and benign across all versions. ai
dependencies unvetted-dep:ansi-escapes AI (dependencies): ansi-escapes is a popular sindresorhus utility package; entirely expected for a terminal progress bar library. ai
dependencies unvetted-dep:figures AI (dependencies): figures is a popular sindresorhus utility package; entirely expected for a terminal progress bar library. ai
email-domain unclaimed-email:pi0.ir AI (email-domain): pi0 (Pooya Parsa) is a well-known Nuxt.js core contributor; the pi0.ir domain is his personal domain used consistently across his packages. Low practical hijack risk given established identity. ai
provenance no-provenance AI (provenance): pi0/unjs packages historically lack Sigstore provenance; this is a stable pattern for this publisher and not a security risk. ai

Versions (showing 7 of 7)

Version Deps Published
7.0.0 4 / 20
5.0.2 4 / 17
5.0.1 4 / 17
5.0.0 4 / 17
3.1.1 8 / 28
3.0.1 8 / 28
3.0.0 8 / 28

v5.0.2

3 findings
HIGH New obfuscated file: dist/index.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.1

3 findings
HIGH New obfuscated file: dist/index.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.0

3 findings
HIGH New obfuscated file: dist/index.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.