← Home

@rspack/dev-server

Development server for Rspack

100
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

hardfist3chenjiahan

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
maintainer-change maintainer-removed AI (maintainer-change): hardfist removed as hardfist3 added; same person, not a takeover. ai
maintainer-change maintainer-added AI (maintainer-change): hardfist→hardfist3 is the same maintainer renaming; stable for this package. ai
provenance missing-githead AI (provenance): SLSA provenance present; gitHead absence is cosmetic when attestation exists. ai
source-diff obfuscated-file:dist/0~serve-static.js AI (source-diff): Webpack-bundled dependency output with license headers; not obfuscated. ai
phantom-deps phantom-dep:@rspack/dev-middleware AI (phantom-deps): Same-org dep declared in dependencies; re-exported or used transitively. ai
phantom-deps phantom-dep:ws AI (phantom-deps): ws is a declared runtime dependency; phantom-dep fires because it's used indirectly via webpack-dev-server internals. ai
phantom-deps phantom-dep:http-proxy-middleware AI (phantom-deps): http-proxy-middleware is a declared runtime dep used indirectly through webpack-dev-server. ai
provenance publisher-changed AI (provenance): hardfist is a known rspack org maintainer with extensive track record (2275 approved). Legitimate team member publishing. ai
dependencies unvetted-dep:launch-editor AI (dependencies): launch-editor is a well-known utility used by Vue CLI, webpack-dev-server, and similar tools. Legitimate dependency for a dev server. ai
bogus-package bogus-package AI (bogus-package): Flagged maintainers (hardfist, chenjiahan) are known Bytedance/web-infra-dev contributors to the rspack ecosystem — not spam publishers. ai
semgrep semgrep:new-function-constructor AI (semgrep): new Function() is used to deserialize overlay filter functions from URL-encoded strings, a known pattern in webpack/rspack dev server overlay feature. ai
phantom-deps phantom-dep:@types/bonjour AI (phantom-deps): TypeScript type declarations; loaded by TS compiler, not runtime imports. ai
phantom-deps phantom-dep:spdy AI (phantom-deps): Conditionally required at runtime for HTTPS/HTTP2 support, same pattern as webpack-dev-server. ai
phantom-deps phantom-dep:@types/ws AI (phantom-deps): TypeScript type declarations; loaded by TS compiler, not runtime imports. ai
phantom-deps phantom-dep:@types/sockjs AI (phantom-deps): TypeScript type declarations; loaded by TS compiler, not runtime imports. ai
source-diff source-size-tripled AI (source-diff): Size increase reflects internalizing webpack-dev-server's dependencies rather than delegating to it — a legitimate architectural refactor. ai
source-diff net-exec-file:client/modules/sockjs-client/index.js AI (source-diff): This is a bundled sockjs-client UMD module — a standard client-side transport library. Network calls and dynamic module loading are expected in this context. ai
phantom-deps phantom-dep:ansi-html-community AI (phantom-deps): Used by client overlay module for HTML rendering; referenced indirectly through bundled client code. ai
phantom-deps phantom-dep:@types/connect-history-api-fallback AI (phantom-deps): TypeScript type declarations; loaded by TS compiler, not runtime imports. ai
phantom-deps phantom-dep:@types/express-serve-static-core AI (phantom-deps): TypeScript type declarations; loaded by TS compiler, not runtime imports. ai
phantom-deps phantom-dep:@types/serve-static AI (phantom-deps): TypeScript type declarations; loaded by TS compiler, not runtime imports. ai
phantom-deps phantom-dep:@types/serve-index AI (phantom-deps): TypeScript type declarations; loaded by TS compiler, not runtime imports. ai
phantom-deps phantom-dep:@types/express AI (phantom-deps): TypeScript type declarations; loaded by TS compiler, not runtime imports. ai

Versions (showing 100 of 128)

Hide prereleases
Version Deps Published
2.1.0 1 / 36
2.0.3 1 / 36
2.0.2 1 / 36
2.0.1 1 / 36
2.0.0 1 / 36
1.2.1 28 / 43
1.2.0 28 / 43
1.1.5 5 / 36
1.1.4 5 / 39
1.1.3 5 / 39
1.1.2 5 / 39
1.1.1 8 / 37
1.1.0 8 / 37
1.0.10 9 / 38
1.0.9 9 / 38
1.0.8 9 / 38
1.0.7 9 / 38
1.0.6 9 / 21
1.0.5 9 / 21
1.0.4 9 / 15
1.0.3 8 / 9
1.0.2 8 / 9
1.0.1 8 / 9
1.0.0 8 / 9
0.7.5 8 / 7
0.7.4 8 / 7
0.7.3 8 / 7
0.7.2 8 / 7
0.7.1 8 / 7
0.7.0 8 / 7
0.6.5 8 / 7
0.6.4 8 / 7
0.6.3 8 / 7
0.6.2 8 / 7
0.6.1 8 / 7
0.6.0 8 / 7
0.5.9 8 / 7
0.5.8 8 / 7
0.5.7 8 / 7
0.5.6 8 / 7
0.5.5 8 / 7
0.5.4 8 / 8
0.5.3 8 / 8
0.5.2 8 / 8
0.5.1 10 / 8
0.5.0 10 / 8
0.4.5 10 / 8
0.4.4 10 / 8
0.4.3 10 / 8
0.4.2 10 / 8
0.4.1 10 / 8
0.4.0 10 / 8
0.3.14 10 / 8
0.3.13 10 / 8
0.3.12 10 / 8
0.3.11 11 / 7
0.3.10 11 / 7
0.3.9 11 / 7
0.3.8 11 / 7
0.3.7 11 / 7
0.3.6 11 / 7
0.3.5 11 / 7
0.3.4 11 / 7
0.3.3 11 / 7
0.3.2 11 / 7
0.3.1 11 / 7
0.3.0 11 / 7
0.2.12 11 / 7
0.2.11 11 / 7
0.2.10 11 / 7
0.2.9 11 / 7
0.2.8 11 / 7
0.2.7 11 / 7
0.2.6 11 / 7
0.2.5 11 / 7
0.2.4 11 / 7
0.2.3 11 / 7
0.2.2 11 / 7
0.2.1 11 / 7
0.2.0 11 / 7
0.1.12 10 / 6
0.1.11 10 / 7
0.1.10 10 / 7
0.1.9 10 / 7
0.1.8 10 / 7
0.1.7 10 / 7
0.1.6 10 / 8
0.1.5 9 / 8
0.1.4 9 / 8
0.1.3 9 / 8
0.1.2 9 / 8
0.1.1 9 / 8
0.1.0 9 / 8
0.0.26 9 / 8
0.0.25 9 / 8
0.0.24 9 / 8
0.0.23 9 / 8
0.0.22 9 / 9
0.0.21 9 / 8
0.0.20 9 / 6
Showing 100 of 128 Next page →

v2.1.0

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.2

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.