@rsbuild/core
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/711.js | AI (source-diff): Bundled build output; network+dynamic-require is inherent to this build tool, no hostile target. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Prebundled compiled/ directory is a stable pattern for this package. | ai | |
| source-diff | obfuscated-file:compiled/webpack-bundle-analyzer/public/viewer.js | AI (source-diff): Prebundled frontend viewer bundle; minification is standard. | ai | |
| source-diff | net-exec-file:compiled/webpack-bundle-analyzer/dist/index.js | AI (source-diff): Prebundled webpack-bundle-analyzer with server component; expected. | ai | |
| source-diff | obfuscated-file:compiled/webpack-bundle-analyzer/dist/index.js | AI (source-diff): Prebundled webpack-bundle-analyzer; minification is expected. | ai | |
| source-diff | obfuscated-file:compiled/memfs/index.js | AI (source-diff): Prebundled/minified memfs dependency; standard for this package. | ai | |
| source-diff | net-exec-file:compiled/http-proxy-middleware/index.js | AI (source-diff): Prebundled http-proxy-middleware; network+exec is its core function. | ai | |
| source-diff | net-exec-file:dist/131.js | AI (source-diff): Rspack chunk output; network+exec from bundled build-tool internals. | ai | |
| source-diff | net-exec-file:dist/index.cjs | AI (source-diff): Webpack-bundled main entry; network+exec from bundled deps (http-proxy, ws) is expected for a build tool. | ai | |
| source-diff | net-exec-file:dist/506.js | AI (source-diff): Webpack bundle of known deps (http-proxy-middleware, memfs, etc.); expected for a build tool. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): 409 versions over 940 days; CI-published with SLSA provenance — not a real dormancy signal. | ai | |
| source-diff | net-exec-file:dist/58.js | AI (source-diff): Webpack bundle of known deps (postcss, http-proxy-middleware, etc.); expected for a build tool. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval('require')('debug') is standard webpack bundling pattern in compiled deps. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): launch-editor-middleware legitimately needs child_process. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Bundled debug library filtering DEBUG_ env vars; standard behavior. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Standard dynamic import() polyfill pattern in bundled postcss-loader. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Minified compiled output; no malicious payload. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): PostCSS plugin loader using dynamic require; expected in build tooling. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Scoped Rspack build tool is not a typosquat of the cors middleware package. | ai |
Versions (showing 45 of 45)
| Version | Deps | Published |
|---|---|---|
| 2.1.5 | 2 / 42 | |
| 2.1.4 | 2 / 42 | |
| 2.1.3 | 2 / 42 | |
| 2.1.2 | 2 / 41 | |
| 2.1.1 | 2 / 41 | |
| 2.1.0 | 2 / 41 | |
| 2.0.15 | 2 / 41 | |
| 2.0.14 | 2 / 41 | |
| 2.0.13 | 2 / 41 | |
| 2.0.12 | 2 / 41 | |
| 2.0.11 | 2 / 41 | |
| 2.0.10 | 2 / 41 | |
| 2.0.9 | 2 / 41 | |
| 2.0.8 | 2 / 41 | |
| 2.0.7 | 2 / 41 | |
| 2.0.6 | 2 / 41 | |
| 2.0.5 | 2 / 41 | |
| 2.0.4 | 2 / 41 | |
| 2.0.3 | 2 / 41 | |
| 2.0.2 | 2 / 41 | |
| 2.0.1 | 2 / 41 | |
| 2.0.0 | 2 / 41 | |
| 1.7.6 | 5 / 44 | |
| 1.7.5 | 5 / 44 | |
| 1.7.4 | 5 / 44 | |
| 1.7.3 | 5 / 44 | |
| 1.7.2 | 5 / 44 | |
| 1.7.1 | 5 / 44 | |
| 1.7.0 | 5 / 44 | |
| 1.6.15 | 5 / 44 | |
| 1.6.14 | 5 / 44 | |
| 1.6.13 | 5 / 44 | |
| 1.6.12 | 5 / 44 | |
| 1.6.11 | 5 / 44 | |
| 1.6.10 | 5 / 44 | |
| 1.6.9 | 5 / 44 | |
| 1.6.8 | 5 / 44 | |
| 1.6.7 | 5 / 44 | |
| 1.6.6 | 5 / 44 | |
| 1.6.5 | 5 / 44 | |
| 1.6.4 | 5 / 44 | |
| 1.6.3 | 5 / 44 | |
| 1.6.2 | 5 / 44 | |
| 1.6.1 | 5 / 44 | |
| 1.6.0 | 5 / 44 |
v2.1.5
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.8
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.2
2 findingsPackage name '@rsbuild/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.1
2 findingsPackage name '@rsbuild/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.0
2 findingsPackage name '@rsbuild/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.7.6
8 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.7.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.7.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.7.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.7.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.