← Home

@botonic/dx-bundler-rspack

npm
10
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ahubstreericmarcoskhaeshahmrabatoraventosalbert_gomarizteam.platform

Keywords

bot-frameworkjavascripttypescript

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:image-minimizer-webpack-plugin AI (phantom-deps): Bundler config package; image-minimizer-webpack-plugin referenced in config files, not directly imported. ai
phantom-deps phantom-dep:svgo AI (phantom-deps): Bundler config package; svgo referenced in config files, not directly imported. ai
phantom-deps phantom-dep:ts-node AI (phantom-deps): Bundler config package; ts-node referenced in config files, not directly imported. ai
phantom-deps phantom-dep:imagemin AI (phantom-deps): Bundler config package; imagemin referenced in config files, not directly imported. ai
phantom-deps phantom-dep:imagemin-svgo AI (phantom-deps): Bundler config package; imagemin-svgo referenced in config files, not directly imported. ai
phantom-deps phantom-dep:imagemin-optipng AI (phantom-deps): Bundler config package; imagemin-optipng referenced in config files, not directly imported. ai
phantom-deps phantom-dep:crypto-browserify AI (phantom-deps): Bundler config package; crypto-browserify referenced in config files, not directly imported. ai
phantom-deps phantom-dep:imagemin-gifsicle AI (phantom-deps): Bundler config package; imagemin-gifsicle referenced in config files, not directly imported. ai
phantom-deps phantom-dep:imagemin-jpegtran AI (phantom-deps): Bundler config package; imagemin-jpegtran referenced in config files, not directly imported. ai
phantom-deps phantom-dep:clean-webpack-plugin AI (phantom-deps): Bundler config package; clean-webpack-plugin referenced in config files, not directly imported. ai
dependencies unvetted-dep:svgo AI (dependencies): svgo is a well-known SVG optimizer; used as a peer/config dep by imagemin-svgo in this bundler package. ai
phantom-deps phantom-dep:@swc/core AI (phantom-deps): Build tool; referenced in rspack config, not direct import. ai
phantom-deps phantom-dep:css-loader AI (phantom-deps): Webpack loader; referenced in rspack config, not direct import. ai
phantom-deps phantom-dep:null-loader AI (phantom-deps): Webpack loader; referenced in rspack config, not direct import. ai
phantom-deps phantom-dep:sass-loader AI (phantom-deps): Webpack loader; referenced in rspack config, not direct import. ai
phantom-deps phantom-dep:@swc/helpers AI (phantom-deps): Known implicit runtime dependency for @swc/core. ai
phantom-deps phantom-dep:style-loader AI (phantom-deps): Webpack loader; referenced in rspack config, not direct import. ai
phantom-deps phantom-dep:react-refresh AI (phantom-deps): Build tool; referenced in rspack config, not direct import. ai
phantom-deps phantom-dep:stream-browserify AI (phantom-deps): Polyfill; referenced in rspack config, not direct import. ai
phantom-deps phantom-dep:sass AI (phantom-deps): Build tool; referenced in rspack config, not direct import. ai

Versions (showing 10 of 10)

Version Deps Published
0.49.0 14 / 0
0.48.0 14 / 0
0.47.0 14 / 0
0.46.0 14 / 0
0.45.0 14 / 0
0.44.0 24 / 0
0.43.0 24 / 0
0.42.0 24 / 0
0.35.1 24 / 0
0.35.0 24 / 0

v0.49.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.48.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.47.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.46.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.45.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.44.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.43.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.42.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.35.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.35.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.