← Home

@rolldown/browser

npm Repository Homepage

Fast JavaScript/TypeScript bundler in Rust with Rollup-compatible API.

3
Versions
MIT
License
Yes
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

broooooklynyyx990803rolldownbotsapphi-red

Keywords

bundleresbuildparcelrolldownrollupwebpack

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/shared/prompt-DewH0PjV.mjs AI (source-diff): Minified build artifact from consola dependency; readable source comments confirm legitimate bundler output. ai
source-diff obfuscated-file:dist/shared/rolldown-build-BodFrzFa.mjs AI (source-diff): Minified rolldown internal build artifact; source structure and imports confirm legitimate bundler output. ai
source-diff obfuscated-file:dist/shared/binding-Ba2kzvIy.d.mts AI (source-diff): TypeScript declaration file with long lines due to large export lists; not obfuscated, just a wide type declaration. ai
install-scripts install-script:preinstall AI (install-scripts): npx only-allow pnpm is a standard monorepo package-manager guard; not a security risk. ai
phantom-deps phantom-dep:@emnapi/core AI (phantom-deps): Declared runtime dep for WASM/emnapi bindings; stable false positive for this package. ai
phantom-deps phantom-dep:@emnapi/runtime AI (phantom-deps): Declared runtime dep for WASM/emnapi bindings; stable false positive for this package. ai

Versions (showing 3 of 3)

Version Deps Published
1.0.2 3 / 0
1.0.1 3 / 0
1.0.0 3 / 0

v1.0.2

4 findings
HIGH New obfuscated file: dist/shared/prompt-DewH0PjV.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shared/rolldown-build-BodFrzFa.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shared/binding-Ba2kzvIy.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1

2 findings
HIGH Package has 'preinstall' script install-scripts

Script: npx only-allow pnpm

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.0

2 findings
HIGH Package has 'preinstall' script install-scripts

Script: npx only-allow pnpm

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.