@nocobase/build
Library build tool based on rollup.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@rsdoctor/rspack-plugin | AI (dependencies): Official Rsdoctor plugin for Rspack bundle analysis; legitimate build tooling dependency from ByteDance/web-infra-dev. | ai | |
| dependencies | unvetted-dep:vite-plugin-css-injected-by-js | AI (dependencies): Well-known Vite plugin for CSS injection; legitimate build tooling dependency. | ai | |
| dependencies | unvetted-dep:vite-plugin-lib-inject-css | AI (dependencies): Well-known Vite plugin for CSS injection in library mode; legitimate build tooling dependency. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): TypeScript is a build-time dependency referenced in config files; normal for a TypeScript build tool package. | ai | |
| phantom-deps | phantom-dep:@types/gulp | AI (phantom-deps): Type definitions loaded by convention in TypeScript build tooling; not a direct import risk. | ai | |
| dependencies | unvetted-dep:@types/gulp | AI (dependencies): Standard TypeScript type definitions for gulp; expected dependency for a build tool package in the @nocobase ecosystem. | ai | |
| dependencies | unvetted-dep:@rsbuild/plugin-babel | AI (dependencies): Official Rsbuild Babel plugin from the ByteDance/web-infra-dev org; legitimate build tooling dependency. | ai | |
| dependencies | unvetted-dep:@types/lerna__package | AI (dependencies): Standard TypeScript type definitions for Lerna; expected for a monorepo build tool. | ai | |
| dependencies | unvetted-dep:@types/lerna__project | AI (dependencies): Standard TypeScript type definitions for Lerna; expected for a monorepo build tool. | ai | |
| bogus-package | bogus-package | AI (bogus-package): NocoBase is a large monorepo; scoped build packages typically lack standalone README/keywords and link to the main project docs. Not indicative of spam or phishing. | ai | |
| phantom-deps | phantom-dep:@rsbuild/plugin-babel | AI (phantom-deps): Build tool referencing rsbuild plugin in config is standard; stable for this package. | ai | |
| phantom-deps | phantom-dep:@types/lerna__package | AI (phantom-deps): Type-only package loaded by convention in a build tool; stable for this package. | ai | |
| phantom-deps | phantom-dep:react-imported-component | AI (phantom-deps): Referenced in config files for build tool; stable for this package. | ai | |
| phantom-deps | phantom-dep:vite-plugin-css-injected-by-js | AI (phantom-deps): Vite plugin referenced in config; standard for a build tool; stable for this package. | ai | |
| phantom-deps | phantom-dep:babel-plugin-syntax-dynamic-import | AI (phantom-deps): Babel plugin referenced in config; standard for a build tool; stable for this package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-dynamic-import | AI (phantom-deps): Babel plugin loaded by convention; standard for a build tool; stable for this package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-transform-modules-amd | AI (phantom-deps): Babel plugin loaded by convention; standard for a build tool; stable for this package. | ai | |
| phantom-deps | phantom-dep:postcss-preset-env | AI (phantom-deps): PostCSS plugin referenced in config; standard for a build tool; stable for this package. | ai | |
| phantom-deps | phantom-dep:@types/tar | AI (phantom-deps): Type-only package loaded by convention; stable for this package. | ai | |
| phantom-deps | phantom-dep:@types/lerna__project | AI (phantom-deps): Type-only package loaded by convention in a build tool; stable for this package. | ai | |
| phantom-deps | phantom-dep:less | AI (phantom-deps): Build tool referencing less in config files without direct import is standard; stable for this package. | ai | |
| phantom-deps | phantom-dep:postcss | AI (phantom-deps): Build tool referencing postcss in config files without direct import is standard; stable for this package. | ai | |
| phantom-deps | phantom-dep:css-loader | AI (phantom-deps): Build tool referencing css-loader in webpack/rspack config is standard; stable for this package. | ai | |
| phantom-deps | phantom-dep:babel-loader | AI (phantom-deps): Build tool referencing babel-loader in config is standard; stable for this package. | ai | |
| phantom-deps | phantom-dep:style-loader | AI (phantom-deps): Build tool referencing style-loader in config is standard; stable for this package. | ai | |
| phantom-deps | phantom-dep:@svgr/webpack | AI (phantom-deps): Build tool referencing @svgr/webpack in config is standard; stable for this package. | ai | |
| phantom-deps | phantom-dep:postcss-loader | AI (phantom-deps): Build tool referencing postcss-loader in config is standard; stable for this package. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Build tool loading @babel/core by convention is standard; stable for this package. | ai | |
| phantom-deps | phantom-dep:@babel/preset-env | AI (phantom-deps): Build tool loading @babel/preset-env by convention is standard; stable for this package. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Build tool spreading process.env into child process spawn is standard practice for propagating environment context to compilation subprocesses. Not a credential leak risk. | ai | |
| typosquat | typosquat.levenshtein:esbuild | AI (typosquat): Scoped package @nocobase/build cannot be a typosquat of unscoped 'esbuild'; it is a build tool in the established NocoBase monorepo ecosystem. | ai | |
| typosquat | typosquat.levenshtein:uuid | AI (typosquat): Scoped package @nocobase/build cannot be a typosquat of unscoped 'uuid'; different namespace, different purpose entirely. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is used to load package.json from the target package directory — standard pattern for build orchestration tools inspecting the package being built. | ai |
Versions (showing 42 of 42)
| Version | Deps | Published |
|---|---|---|
| 2.0.61 | 36 / 0 | |
| 2.0.60 | 36 / 0 | |
| 2.0.59 | 36 / 0 | |
| 2.0.58 | 36 / 0 | |
| 2.0.57 | 36 / 0 | |
| 2.0.56 | 36 / 0 | |
| 2.0.55 | 36 / 0 | |
| 2.0.54 | 36 / 0 | |
| 2.0.53 | 36 / 0 | |
| 2.0.52 | 36 / 0 | |
| 2.0.51 | 36 / 0 | |
| 2.0.50 | 36 / 0 | |
| 2.0.49 | 36 / 0 | |
| 2.0.48 | 36 / 0 | |
| 2.0.47 | 36 / 0 | |
| 2.0.46 | 36 / 0 | |
| 2.0.45 | 36 / 0 | |
| 2.0.44 | 36 / 0 | |
| 2.0.43 | 36 / 0 | |
| 2.0.42 | 36 / 0 | |
| 2.0.41 | 36 / 0 | |
| 2.0.40 | 36 / 0 | |
| 2.0.39 | 36 / 0 | |
| 2.0.38 | 36 / 0 | |
| 2.0.37 | 36 / 0 | |
| 2.0.36 | 36 / 0 | |
| 2.0.33 | 36 / 0 | |
| 2.0.32 | 36 / 0 | |
| 2.0.31 | 36 / 0 | |
| 2.0.30 | 36 / 0 | |
| 2.0.29 | 36 / 0 | |
| 2.0.28 | 36 / 0 | |
| 2.0.27 | 36 / 0 | |
| 2.0.26 | 36 / 0 | |
| 1.9.63 | 36 / 0 | |
| 1.9.62 | 36 / 0 | |
| 1.9.61 | 36 / 0 | |
| 1.9.60 | 36 / 0 | |
| 1.9.59 | 36 / 0 | |
| 1.9.58 | 36 / 0 | |
| 1.9.57 | 36 / 0 | |
| 1.9.0 | 39 / 0 |
v2.0.61
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.60
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.59
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.58
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.57
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.56
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.55
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.54
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.53
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.52
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.51
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.50
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.49
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.48
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.47
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.45
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.44
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.43
2 findingsSpreading entire process.env into an object — may capture all secrets 137 | cwd, 138 | stdio: "inherit", > 139 | env: { 140 | ...process.env, 141 | ...envs,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.42
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.41
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.40
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.39
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.38
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.37
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.36
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.33
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.32
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.31
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.30
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.63
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.62
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.61
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.60
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.59
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.58
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.57
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.