workbox-webpack-plugin
A plugin for your Webpack build process, helping you generate a manifest of local files that workbox-sw should precache.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:fast-json-stable-stringify | AI (dependencies): fast-json-stable-stringify is a stable, widely-used utility; its use in a webpack plugin is legitimate. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): pretty-bytes is a legitimate utility for byte formatting; reasonable addition for a webpack plugin. | ai | |
| provenance | no-provenance | AI (provenance): Established Google-maintained package published well before Sigstore provenance was widely adopted; absence of provenance is expected and not a risk signal here. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): @babel/runtime is a declared dependency in package.json and is a standard Babel convention-loaded runtime helper; not a real phantom dep for this package. | ai | |
| provenance | publisher-changed | AI (provenance): tropicadri is a known Google engineer on the Workbox team; this is a documented team transition from jeffposnick, not a compromise. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): snugug is a known Workbox contributor; addition reflects legitimate team expansion in official project. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Long gap reflects major version release cycle (v5→v6); publisher has strong track record with no compromise signals. | ai |
Versions (showing 27 of 27)
| Version | Deps | Published |
|---|---|---|
| 7.4.1 | 5 / 2 | |
| 7.4.0 | 5 / 2 | |
| 7.3.0 | 5 / 2 | |
| 7.1.0 | 5 / 2 | |
| 7.0.0 | 5 / 2 | |
| 6.6.1 | 5 / 2 | |
| 6.6.0 | 5 / 2 | |
| 6.5.3 | 5 / 1 | |
| 6.5.2 | 5 / 1 | |
| 6.5.1 | 5 / 1 | |
| 6.5.0 | 5 / 1 | |
| 6.4.2 | 6 / 0 | |
| 6.4.1 | 6 / 0 | |
| 6.4.0 | 6 / 0 | |
| 6.3.0 | 6 / 0 | |
| 6.2.4 | 6 / 0 | |
| 6.2.3 | 6 / 0 | |
| 6.2.2 | 6 / 0 | |
| 6.2.1 | 6 / 0 | |
| 6.2.0 | 6 / 0 | |
| 6.1.5 | 6 / 0 | |
| 6.1.2 | 6 / 0 | |
| 6.1.1 | 6 / 0 | |
| 6.1.0 | 6 / 0 | |
| 6.0.2 | 6 / 0 | |
| 6.0.0 | 6 / 0 | |
| 5.1.4 | 6 / 0 |
v7.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.4.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-19. This could indicate a legitimate maintainer transition or an account compromise.
v7.3.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-10-29. This could indicate a legitimate maintainer transition or an account compromise.
v7.1.0
2 findingsThis version was published by a different npm account than previous versions on 2024-04-23. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-05-31. This could indicate a legitimate maintainer transition or an account compromise.
v6.6.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-05-30. This could indicate a legitimate maintainer transition or an account compromise.
v6.6.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-05-26. This could indicate a legitimate maintainer transition or an account compromise.
v6.5.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-12. This could indicate a legitimate maintainer transition or an account compromise.
v6.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-15. This could indicate a legitimate maintainer transition or an account compromise.
v6.4.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-03. This could indicate a legitimate maintainer transition or an account compromise.
v6.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-08-11. This could indicate a legitimate maintainer transition or an account compromise.
v6.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.5
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-04-12. This could indicate a legitimate maintainer transition or an account compromise.
v6.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.