@rollipop/rolldown
Fast JavaScript/TypeScript bundler in Rust with Rollup-compatible API.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/shared/rolldown-build-Df-vz0Zv.mjs | AI (source-diff): Standard bundler build output; long lines from minification, not obfuscation. Consistent with this package's build pattern. | ai | |
| source-diff | obfuscated-file:dist/shared/rolldown-build-C1JLRyVO.mjs | AI (source-diff): Long lines are bundler output (rolldown bundles itself); readable identifiers confirm no obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared/rolldown-build-EhkMDtj3.mjs | AI (source-diff): Minified bundler output with readable imports/logic; no obfuscation indicators. SLSA provenance confirms CI build origin. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-DYnaB1Nb.mjs | AI (source-diff): Bundled consola prompt library; minified dist output, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/shared/rolldown-build-DOmcVgQR.mjs | AI (source-diff): Bundled rolldown build logic; minified dist output consistent with bundler package. | ai | |
| source-diff | obfuscated-file:dist/shared/rolldown-build-BRkOWCDB.mjs | AI (source-diff): Minified/bundled build output for a JS bundler package; not obfuscated malware. SLSA provenance confirms CI/CD origin. | ai | |
| source-diff | obfuscated-file:dist/shared/rolldown-build-Dy4Qg7um.mjs | AI (source-diff): Minified bundler output with readable code; not obfuscated. Expected artifact for a bundler package. | ai | |
| source-diff | obfuscated-file:dist/shared/rolldown-build-BKTuWCJv.mjs | AI (source-diff): Minified bundler build output with readable identifiers and SLSA provenance; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared/rolldown-build-BlO9UHnS.mjs | AI (source-diff): Minified build artifact from bundler pipeline; readable JS with named imports, not obfuscated. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/shared/rolldown-build-BZvmhVbS.mjs | AI (source-diff): Minified bundler output; readable imports and logic visible in sample, no obfuscation or payload. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 1.0.10 | 2 / 20 | |
| 1.0.9 | 2 / 20 | |
| 1.0.8 | 2 / 20 | |
| 1.0.7 | 2 / 20 | |
| 1.0.6 | 2 / 20 | |
| 1.0.5 | 2 / 20 | |
| 1.0.4 | 2 / 20 | |
| 1.0.3 | 2 / 20 | |
| 1.0.2 | 2 / 20 | |
| 1.0.1 | 2 / 20 | |
| 1.0.0 | 2 / 20 |
v1.0.10
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.9
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.8
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.7
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.5
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.