← Home

@rsbuild/core

45
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

chenjiahanhardfist3

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff net-exec-file:dist/711.js AI (source-diff): Bundled build output; network+dynamic-require is inherent to this build tool, no hostile target. ai
source-diff large-new-source-files AI (source-diff): Prebundled compiled/ directory is a stable pattern for this package. ai
source-diff obfuscated-file:compiled/webpack-bundle-analyzer/public/viewer.js AI (source-diff): Prebundled frontend viewer bundle; minification is standard. ai
source-diff net-exec-file:compiled/webpack-bundle-analyzer/dist/index.js AI (source-diff): Prebundled webpack-bundle-analyzer with server component; expected. ai
source-diff obfuscated-file:compiled/webpack-bundle-analyzer/dist/index.js AI (source-diff): Prebundled webpack-bundle-analyzer; minification is expected. ai
source-diff obfuscated-file:compiled/memfs/index.js AI (source-diff): Prebundled/minified memfs dependency; standard for this package. ai
source-diff net-exec-file:compiled/http-proxy-middleware/index.js AI (source-diff): Prebundled http-proxy-middleware; network+exec is its core function. ai
source-diff net-exec-file:dist/131.js AI (source-diff): Rspack chunk output; network+exec from bundled build-tool internals. ai
source-diff net-exec-file:dist/index.cjs AI (source-diff): Webpack-bundled main entry; network+exec from bundled deps (http-proxy, ws) is expected for a build tool. ai
source-diff net-exec-file:dist/506.js AI (source-diff): Webpack bundle of known deps (http-proxy-middleware, memfs, etc.); expected for a build tool. ai
publish-pattern dormant-publish AI (publish-pattern): 409 versions over 940 days; CI-published with SLSA provenance — not a real dormancy signal. ai
source-diff net-exec-file:dist/58.js AI (source-diff): Webpack bundle of known deps (postcss, http-proxy-middleware, etc.); expected for a build tool. ai
semgrep semgrep:eval-usage AI (semgrep): eval('require')('debug') is standard webpack bundling pattern in compiled deps. ai
semgrep semgrep:child-process-import AI (semgrep): launch-editor-middleware legitimately needs child_process. ai
semgrep semgrep:env-bulk-read AI (semgrep): Bundled debug library filtering DEBUG_ env vars; standard behavior. ai
semgrep semgrep:new-function-constructor AI (semgrep): Standard dynamic import() polyfill pattern in bundled postcss-loader. ai
semgrep semgrep:base64-decode AI (semgrep): Minified compiled output; no malicious payload. ai
semgrep semgrep:dynamic-require AI (semgrep): PostCSS plugin loader using dynamic require; expected in build tooling. ai
typosquat typosquat.levenshtein:cors AI (typosquat): Scoped Rspack build tool is not a typosquat of the cors middleware package. ai

Versions (showing 45 of 45)

Version Deps Published
2.1.5 2 / 42
2.1.4 2 / 42
2.1.3 2 / 42
2.1.2 2 / 41
2.1.1 2 / 41
2.1.0 2 / 41
2.0.15 2 / 41
2.0.14 2 / 41
2.0.13 2 / 41
2.0.12 2 / 41
2.0.11 2 / 41
2.0.10 2 / 41
2.0.9 2 / 41
2.0.8 2 / 41
2.0.7 2 / 41
2.0.6 2 / 41
2.0.5 2 / 41
2.0.4 2 / 41
2.0.3 2 / 41
2.0.2 2 / 41
2.0.1 2 / 41
2.0.0 2 / 41
1.7.6 5 / 44
1.7.5 5 / 44
1.7.4 5 / 44
1.7.3 5 / 44
1.7.2 5 / 44
1.7.1 5 / 44
1.7.0 5 / 44
1.6.15 5 / 44
1.6.14 5 / 44
1.6.13 5 / 44
1.6.12 5 / 44
1.6.11 5 / 44
1.6.10 5 / 44
1.6.9 5 / 44
1.6.8 5 / 44
1.6.7 5 / 44
1.6.6 5 / 44
1.6.5 5 / 44
1.6.4 5 / 44
1.6.3 5 / 44
1.6.2 5 / 44
1.6.1 5 / 44
1.6.0 5 / 44

v2.1.5

2 findings
HIGH New file with network + code execution: dist/711.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.15

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.14

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.13

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.12

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.11

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.10

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.9

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.8

2 findings
HIGH New file with network + code execution: dist/756.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.2

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@rsbuild/core' is 1 edit(s) away from popular package 'cors'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.1

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@rsbuild/core' is 1 edit(s) away from popular package 'cors'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.0

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@rsbuild/core' is 1 edit(s) away from popular package 'cors'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.7.6

8 findings
HIGH New file with network + code execution: dist/index.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/131.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: compiled/http-proxy-middleware/index.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: compiled/memfs/index.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: compiled/webpack-bundle-analyzer/dist/index.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: compiled/webpack-bundle-analyzer/dist/index.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: compiled/webpack-bundle-analyzer/public/viewer.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.7.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.7.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.7.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.7.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.7.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.15

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.14

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.13

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.12

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.11

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.