← Home

@tarojs/webpack5-runner

npm Repository Homepage
9
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

yuchexuanzebindefaultleedrchankyjoqq592743779advancedcatbaosiqingzakaryliuzejiavasily.cjjhardenzheng2

Keywords

taro

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:html-minifier AI (dependencies): html-minifier is a long-standing dep in this package; no active exploitable advisory against the pinned range. ai
phantom-deps phantom-dep:less AI (phantom-deps): CSS preprocessor referenced in webpack config, not imported directly; expected pattern. ai
phantom-deps phantom-dep:stylus AI (phantom-deps): CSS preprocessor referenced in webpack config, not imported directly; expected pattern. ai
phantom-deps phantom-dep:csso AI (phantom-deps): Used indirectly via css-minimizer-webpack-plugin config; stable false positive. ai
phantom-deps phantom-dep:mkdirp AI (phantom-deps): Utility referenced in config/scripts context; stable false positive for this package. ai
phantom-deps phantom-dep:url-loader AI (phantom-deps): Webpack loader referenced in config strings; stable false positive. ai
phantom-deps phantom-dep:file-loader AI (phantom-deps): Webpack loader referenced in config strings; stable false positive. ai
phantom-deps phantom-dep:vue-loader AI (phantom-deps): Webpack loader referenced in config strings; stable false positive. ai
phantom-deps phantom-dep:@parcel/css AI (phantom-deps): Referenced in webpack config options; stable false positive for this package. ai
phantom-deps phantom-dep:@tarojs/plugin-platform-jd AI (phantom-deps): Same-org monorepo sibling; stable false positive. ai
phantom-deps phantom-dep:@tarojs/plugin-platform-qq AI (phantom-deps): Same-org monorepo sibling; stable false positive. ai
phantom-deps phantom-dep:@tarojs/plugin-platform-tt AI (phantom-deps): Same-org monorepo sibling; stable false positive. ai
phantom-deps phantom-dep:less-loader AI (phantom-deps): Webpack runner references loaders by string in config; not directly imported but legitimately used. ai
phantom-deps phantom-dep:sass-loader AI (phantom-deps): Webpack runner references loaders by string in config; not directly imported but legitimately used. ai
phantom-deps phantom-dep:babel-loader AI (phantom-deps): Webpack runner references loaders by string in config; not directly imported but legitimately used. ai
phantom-deps phantom-dep:style-loader AI (phantom-deps): Webpack runner references loaders by string in config; not directly imported but legitimately used. ai
phantom-deps phantom-dep:stylus-loader AI (phantom-deps): Webpack runner references loaders by string in config; not directly imported but legitimately used. ai
phantom-deps phantom-dep:postcss-loader AI (phantom-deps): Webpack runner references loaders by string in config; not directly imported but legitimately used. ai
phantom-deps phantom-dep:resolve-url-loader AI (phantom-deps): Webpack runner references loaders by string in config; not directly imported but legitimately used. ai
phantom-deps phantom-dep:lightningcss AI (phantom-deps): Optional CSS processor referenced by name in config; stable pattern for this package. ai
phantom-deps phantom-dep:esbuild AI (phantom-deps): Known implicit binary dependency for esbuild-loader; stable for this package. ai
phantom-deps phantom-dep:acorn AI (phantom-deps): Referenced in config/plugin code by string; stable pattern for webpack runner. ai
phantom-deps phantom-dep:css-loader AI (phantom-deps): Webpack runner references loaders by string in config; not directly imported but legitimately used. ai

Versions (showing 9 of 9)

Version Deps Published
4.2.0 46 / 10
4.1.10 46 / 10
4.1.9 46 / 10
4.1.3 46 / 10
4.1.1 46 / 10
4.1.0 46 / 10
4.0.13 46 / 10
3.6.40 59 / 19
3.6.39 59 / 19

v4.2.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.1.10

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.1.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.1.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.1.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.0.13

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.6.40

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.6.39

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.