@microsoft/spfx-web-build-rig
The Heft build rig for building SPFx projects
5
Versions
https://aka.ms/spfx/license
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
microsoft1esmicrosoft-oss-releaseskevintcoughlinodspnpm
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:eslint | AI (phantom-deps): Build rig declares deps for consumer config use, not direct import; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@types/jest | AI (phantom-deps): Type package declared for consumer use by convention; stable pattern for this rig. | ai | |
| phantom-deps | phantom-dep:@rushstack/heft-static-asset-typings-plugin | AI (phantom-deps): Plugin declared for consumer config use, not direct import; consistent with rig pattern. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Build rig package; minimal README and no keywords are stable for this class of tooling. | ai | |
| dependencies | unvetted-dep:@rushstack/heft-dev-cert-plugin | AI (dependencies): Rush Stack official plugin; stable dependency for this build rig. | ai | |
| dependencies | unvetted-dep:@rushstack/heft | AI (dependencies): Well-known Microsoft Rush Stack tooling; stable dependency for this build rig package. | ai | |
| dependencies | unvetted-dep:@rushstack/heft-typescript-plugin | AI (dependencies): Rush Stack official plugin; stable dependency for this build rig. | ai | |
| dependencies | unvetted-dep:@rushstack/heft-webpack5-plugin | AI (dependencies): Rush Stack official plugin; stable dependency for this build rig. | ai | |
| dependencies | unvetted-dep:@types/heft-jest | AI (dependencies): Type definitions for heft-jest; benign Microsoft tooling ecosystem package. | ai | |
| dependencies | unvetted-dep:@rushstack/heft-jest-plugin | AI (dependencies): Rush Stack official plugin; stable dependency for this build rig. | ai | |
| dependencies | unvetted-dep:@rushstack/heft-lint-plugin | AI (dependencies): Rush Stack official plugin; stable dependency for this build rig. | ai | |
| phantom-deps | phantom-dep:@microsoft/spfx-heft-plugins | AI (phantom-deps): Same org scope; build rig plugin dep, not directly imported. | ai | |
| phantom-deps | phantom-dep:@rushstack/heft-dev-cert-plugin | AI (phantom-deps): Build rig plugin dep loaded by heft config, not directly imported. | ai | |
| phantom-deps | phantom-dep:webpack | AI (phantom-deps): Build rig; webpack is a config-level dep, not directly imported in JS. | ai | |
| phantom-deps | phantom-dep:@rushstack/heft-typescript-plugin | AI (phantom-deps): Build rig plugin dep loaded by heft config, not directly imported. | ai | |
| phantom-deps | phantom-dep:@rushstack/heft-webpack5-plugin | AI (phantom-deps): Build rig plugin dep loaded by heft config, not directly imported. | ai | |
| phantom-deps | phantom-dep:jest-junit | AI (phantom-deps): Build rig; jest-junit is a reporter dep loaded by convention, not directly imported. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): Build rig; typescript is a toolchain dep, not directly imported. | ai | |
| phantom-deps | phantom-dep:@rushstack/heft | AI (phantom-deps): Build rig; heft is the build orchestrator, loaded by convention. | ai | |
| phantom-deps | phantom-dep:@types/heft-jest | AI (phantom-deps): Framework-scoped types package, loaded by convention in build rig. | ai | |
| phantom-deps | phantom-dep:@types/webpack-env | AI (phantom-deps): Framework-scoped types package, loaded by convention in build rig. | ai | |
| phantom-deps | phantom-dep:jest-environment-jsdom | AI (phantom-deps): Build rig; jest environment dep loaded by config, not directly imported. | ai | |
| phantom-deps | phantom-dep:@microsoft/api-extractor | AI (phantom-deps): Same org scope; build rig toolchain dep, not directly imported. | ai | |
| phantom-deps | phantom-dep:@rushstack/heft-jest-plugin | AI (phantom-deps): Build rig plugin dep loaded by heft config, not directly imported. | ai | |
| phantom-deps | phantom-dep:@rushstack/heft-lint-plugin | AI (phantom-deps): Build rig plugin dep loaded by heft config, not directly imported. | ai | |
| phantom-deps | phantom-dep:@rushstack/heft-sass-plugin | AI (phantom-deps): Build rig plugin dep loaded by heft config, not directly imported. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 1.23.0 | 17 / 0 | |
| 1.22.2 | 15 / 0 | |
| 1.22.1 | 15 / 0 | |
| 1.22.0 | 15 / 0 | |
| 1.21.1 | 14 / 0 |
v1.23.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.22.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.22.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.21.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.