← Home

@rspack/cli

100
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

hardfist3chenjiahan

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff source-size-tripled AI (source-diff): Size increase from inlining jiti+babel as compiled dependencies instead of runtime deps. ai
source-diff obfuscated-file:compiled/jiti/dist/babel.cjs AI (source-diff): Webpack-bundled @babel/core for jiti; standard prebundled dependency pattern for this CLI package. ai
source-diff obfuscated-file:compiled/jiti/dist/jiti.cjs AI (source-diff): Webpack-bundled jiti distribution; standard prebundled dependency pattern for this CLI package. ai
source-diff net-exec-file:compiled/jiti/dist/babel.cjs AI (source-diff): Babel core bundle naturally contains dynamic require + module resolution; not malicious network/exec. ai
provenance publisher-changed AI (provenance): Rspack migrated to GitHub Actions CI publishing with SLSA provenance attestation — this is an expected, legitimate automation transition for a mature open-source project. ai
publish-pattern new-deps-added AI (publish-pattern): pirates is a well-known, legitimate require-hook package replacing interpret/rechoir; benign dependency swap consistent with the package's purpose. ai
typosquat typosquat.levenshtein:joi AI (typosquat): @rspack/cli is the official CLI for the Rspack bundler, not a typosquat of 'joi'. The levenshtein match is spurious for this scoped package. ai
bogus-package bogus-package AI (bogus-package): hardfist and chenjiahan are known Rspack/ByteDance engineers; spam flag is a false positive. Package is a legitimate, established CLI tool with 1191 versions and SLSA provenance. ai

Versions (showing 100 of 114)

Version Deps Published
2.1.4 0 / 16
2.1.3 0 / 15
2.1.2 0 / 15
2.1.1 0 / 15
2.1.0 0 / 15
2.0.8 0 / 15
2.0.7 0 / 15
2.0.6 0 / 15
2.0.5 0 / 15
2.0.4 0 / 15
2.0.3 0 / 15
2.0.2 0 / 14
2.0.1 0 / 14
2.0.0 0 / 13
1.7.12 4 / 12
1.7.11 4 / 12
1.7.10 4 / 12
1.7.9 4 / 12
1.7.8 4 / 12
1.7.7 4 / 12
1.7.6 4 / 12
1.7.5 4 / 12
1.7.4 4 / 12
1.7.3 4 / 12
1.7.2 4 / 12
1.7.1 4 / 12
1.7.0 4 / 12
1.6.8 4 / 12
1.6.7 4 / 12
1.6.6 4 / 12
1.6.5 4 / 12
1.6.4 4 / 12
1.6.3 4 / 12
1.6.2 4 / 12
1.6.1 4 / 12
1.6.0 4 / 12
1.5.8 7 / 9
1.5.7 7 / 9
1.5.6 7 / 9
1.5.5 7 / 9
1.5.4 7 / 9
1.5.3 7 / 9
1.5.2 7 / 9
1.5.1 7 / 9
1.5.0 7 / 9
1.4.11 8 / 11
1.4.10 8 / 11
1.4.9 8 / 11
1.4.8 8 / 11
1.4.7 8 / 11
1.4.6 8 / 11
1.4.5 8 / 11
1.4.4 8 / 11
1.4.3 8 / 11
1.4.2 8 / 11
1.4.1 8 / 11
1.4.0 8 / 11
1.3.15 8 / 11
1.3.14 8 / 11
1.3.13 8 / 11
1.3.12 8 / 11
1.3.11 8 / 11
1.3.10 8 / 11
1.3.9 8 / 11
1.3.8 8 / 11
1.3.7 8 / 11
1.3.6 8 / 11
1.3.5 8 / 12
1.3.4 8 / 12
1.3.3 8 / 12
1.3.2 8 / 12
1.3.1 8 / 12
1.3.0 8 / 12
1.2.8 8 / 12
1.2.7 8 / 12
1.2.6 8 / 12
1.2.5 8 / 12
1.2.4 8 / 12
1.2.3 8 / 12
1.2.2 8 / 12
1.2.1 8 / 12
1.2.0 8 / 12
1.1.8 9 / 13
1.1.6 9 / 13
1.1.5 9 / 13
1.1.4 9 / 13
1.1.3 9 / 13
1.1.2 9 / 13
1.1.1 9 / 13
1.1.0 9 / 13
1.0.14 9 / 12
1.0.13 9 / 12
1.0.12 9 / 12
1.0.11 9 / 12
1.0.10 9 / 12
1.0.9 9 / 12
1.0.8 9 / 12
1.0.7 9 / 12
1.0.6 9 / 12
1.0.5 9 / 12
Showing 100 of 114 Next page →

v2.1.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.0

4 findings
HIGH New obfuscated file: compiled/jiti/dist/babel.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: compiled/jiti/dist/babel.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: compiled/jiti/dist/jiti.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.8

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.7

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.6

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.7.12

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.