@rspack/browser MIT 8 versions

@rspack/browser

npm Repository Homepage

Rspack for running in the browser. This is still in early stage and may not follow the semver.

8

Versions

MIT

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

hardfistchenjiahan

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	encoded-string-file:dist/index.js	AI (source-diff): Long strings are JSON-serialized crypto algorithm data from browserify-sign; not obfuscation. Pattern is stable for this bundled package.	ai	2026/05/27
dependencies	unvetted-dep:@types/watchpack	AI (dependencies): @types/watchpack is a standard DefinitelyTyped type definition package; no security risk.	ai	2026/05/12
phantom-deps	phantom-dep:@emnapi/core	AI (phantom-deps): Used as a WASM runtime dependency loaded by convention, not directly imported in source.	ai	2026/04/30
phantom-deps	phantom-dep:@types/watchpack	AI (phantom-deps): Type-only package loaded by framework convention; phantom-dep false positive for @types/* packages.	ai	2026/04/30
bogus-package	bogus-package	AI (bogus-package): Legitimate rspack monorepo sub-package; sparse README is expected for a browser-specific build artifact.	ai	2026/04/30

Versions (showing 8 of 8)

Version	Deps	Published
2.0.6	7 / 0	2026-06-02
2.0.5	7 / 0	2026-05-28
2.0.4	7 / 0	2026-05-20
2.0.3	7 / 0	2026-05-12
2.0.2	7 / 0	2026-05-06
2.0.1	8 / 0	2026-04-28
2.0.0	8 / 0	2026-04-22
1.7.11	6 / 0	2026-03-31

v2.0.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.4

2 findings

HIGH Long encoded string in modified file: dist/index.js source-diff

Modified file contains 9 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.3

2 findings

HIGH Long encoded string in modified file: dist/index.js source-diff

Modified file contains 9 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.2

2 findings

HIGH Long encoded string in modified file: dist/index.js source-diff

Modified file contains 9 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.7.11

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.