@nativescript/webpack
<p align="center"> <a href="https://nativescript.org"> <img alt="NativeScript" src="https://raw.githubusercontent.com/NativeScript/artwork/main/logo/export/NativeScript_Logo_Dark_Transparent.png" width="100"/> </a> </p>
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): NativeScript org migrated to GitHub Actions CI publishing with SLSA attestation; stable pattern going forward. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy explained by org CI migration; SLSA attestation confirms legitimate publish pipeline. | ai | |
| phantom-deps | phantom-dep:css-loader | AI (phantom-deps): Webpack config tool; loaders/plugins referenced in config, not direct imports. | ai | |
| phantom-deps | phantom-dep:lodash.get | AI (phantom-deps): Webpack config tool; loaders/plugins referenced in config, not direct imports. | ai | |
| phantom-deps | phantom-dep:micromatch | AI (phantom-deps): Webpack config tool; loaders/plugins referenced in config, not direct imports. | ai | |
| phantom-deps | phantom-dep:raw-loader | AI (phantom-deps): Webpack config tool; loaders/plugins referenced in config, not direct imports. | ai | |
| phantom-deps | phantom-dep:source-map | AI (phantom-deps): Webpack config tool; loaders/plugins referenced in config, not direct imports. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Framework-scoped package loaded by convention in webpack config. | ai | |
| phantom-deps | phantom-dep:postcss | AI (phantom-deps): Webpack config tool; loaders/plugins referenced in config, not direct imports. | ai | |
| phantom-deps | phantom-dep:webpack-cli | AI (phantom-deps): Webpack config tool; loaders/plugins referenced in config, not direct imports. | ai | |
| phantom-deps | phantom-dep:babel-loader | AI (phantom-deps): Webpack config tool; loaders/plugins referenced in config, not direct imports. | ai | |
| phantom-deps | phantom-dep:react-refresh | AI (phantom-deps): Webpack config tool; loaders/plugins referenced in config, not direct imports. | ai | |
| phantom-deps | phantom-dep:postcss-import | AI (phantom-deps): Webpack config tool; loaders/plugins referenced in config, not direct imports. | ai | |
| phantom-deps | phantom-dep:postcss-loader | AI (phantom-deps): Webpack config tool; loaders/plugins referenced in config, not direct imports. | ai | |
| phantom-deps | phantom-dep:@vue/compiler-sfc | AI (phantom-deps): Framework-scoped package loaded by convention in webpack config. | ai | |
| phantom-deps | phantom-dep:sass-loader | AI (phantom-deps): Webpack config tool; loaders/plugins referenced in config, not direct imports. | ai | |
| phantom-deps | phantom-dep:ts-loader | AI (phantom-deps): Webpack config tool; loaders/plugins referenced in config, not direct imports. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 5.0.35 | 37 / 16 | |
| 5.0.34 | 37 / 16 | |
| 5.0.33 | 37 / 16 | |
| 5.0.32 | 37 / 16 | |
| 5.0.31 | 37 / 16 | |
| 5.0.30 | 37 / 16 | |
| 5.0.29 | 37 / 16 | |
| 5.0.28 | 37 / 16 | |
| 5.0.27 | 37 / 16 | |
| 5.0.26 | 37 / 16 | |
| 5.0.25 | 37 / 16 |
v5.0.35
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.34
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.33
2 findingsThis version was published by a different npm account than previous versions on 2026-03-30. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.32
2 findingsThis version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.31
2 findingsThis version was published by a different npm account than previous versions on 2026-01-06. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.30
2 findingsThis version was published by a different npm account than previous versions on 2026-01-06. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.