← Home

@umijs/bundler-webpack

@umijs/bundler-webpack

51
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

sorryccchenshuai2144kuitospeachscriptxiaohuoniyifankakaxixierenyuanxusd320zoomdong07

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff source-size-dropped AI (source-diff): Size drop explained by migration of deps into @umijs/deps compiled bundle; known UmiJS architectural pattern. ai
phantom-deps phantom-dep:webpack-sources AI (phantom-deps): Webpack sources referenced through plugin configuration, not direct imports. ai
phantom-deps phantom-dep:loader-utils AI (phantom-deps): Webpack bundler packages reference loader utilities through config; direct import not required. ai
phantom-deps phantom-dep:schema-utils AI (phantom-deps): Schema validation utilities referenced in webpack loader/plugin configs, not direct imports. ai
phantom-deps phantom-dep:normalize-url AI (phantom-deps): URL normalization referenced in webpack config; stable pattern for bundler packages. ai
source-diff obfuscated-file:bundled/webpackHotDevClient.js AI (source-diff): This is a pre-bundled webpack hot-reload client (webpackBootstrap pattern). Long lines are minified bundle output, not obfuscation. Stable for this package. ai
source-diff source-size-tripled AI (source-diff): Size increase is entirely explained by the addition of the pre-bundled webpackHotDevClient.js (798KB), a legitimate development artifact. ai
source-diff net-exec-file:bundled/webpackHotDevClient.js AI (source-diff): webpackHotDevClient legitimately uses WebSocket network calls and module hot-replacement (dynamic code execution). This is expected behavior for a webpack HMR client artifact. ai
source-diff obfuscated-file:lib/webpack/plugins/mini-css-extract-plugin/src/CssLoadingRuntimeModule.js AI (source-diff): File is standard Babel-transpiled output of vendored mini-css-extract-plugin code. Long lines are inlined Babel helpers, not obfuscation. This pattern is stable for this package's vendored webpack plugin files. ai
source-diff obfuscated-file:bundled/js/webpackHotDevClient.js AI (source-diff): This is webpack-bundled HMR dev client output, identifiable by the /******/ webpack bootstrap pattern. Legitimate build artifact for this bundler package; not obfuscated malware. ai
source-diff net-exec-file:bundled/js/webpackHotDevClient.js AI (source-diff): Network + code execution is expected in a webpack HMR client (WebSocket to dev server + hot module application). No malicious payload; standard webpack dev tooling. ai
phantom-deps phantom-dep:postcss AI (phantom-deps): Bundler plugin legitimately declares optional loader dependencies referenced in config; not directly imported by design. ai
phantom-deps phantom-dep:@types/webpack-dev-middleware AI (phantom-deps): Framework-scoped type package loaded by convention; phantom-dep is expected for build tools. ai
phantom-deps phantom-dep:@types/sockjs-client AI (phantom-deps): Framework-scoped type package loaded by convention; phantom-dep is expected for build tools. ai
phantom-deps phantom-dep:@types/webpack AI (phantom-deps): Framework-scoped type package loaded by convention; phantom-dep is expected for build tools. ai
phantom-deps phantom-dep:less-loader AI (phantom-deps): Bundler plugin legitimately declares optional loader dependencies referenced in config; not directly imported by design. ai
phantom-deps phantom-dep:@babel/core AI (phantom-deps): Framework-scoped package loaded by convention in bundler; phantom-dep is expected for build tools. ai
phantom-deps phantom-dep:less AI (phantom-deps): Bundler plugin legitimately declares optional loader dependencies referenced in config; not directly imported by design. ai
maintainer-change maintainer-removed AI (maintainer-change): Maintainer removals are consistent with team rotation in the UmiJS monorepo; no signs of hostile takeover. ai
maintainer-change maintainer-added AI (maintainer-change): UmiJS is a large open-source project with normal team rotation; new maintainers are consistent with ongoing project development. ai
source-diff encoded-string-file:compiled/webpack/index.js AI (source-diff): The encoded string is a WebAssembly binary (MD4 hash) passed to WebAssembly.Module(Buffer.from(...)). This is a standard, legitimate pattern for shipping WASM in bundled JS; not a malicious payload. ai
provenance missing-githead AI (provenance): Established UmiJS monorepo package published by original author sorrycc; missing gitHead is a CI environment change, not a malware indicator. ai
source-diff large-new-source-files AI (source-diff): Package explicitly vendors webpack-ecosystem deps into compiled/ directory per compiledConfig. New source files are expected with each addition to the bundled deps list. ai
source-diff encoded-string-file:compiled/sass-loader/index.js AI (source-diff): sass-loader is in compiledConfig.deps; long encoded strings in minified bundles are normal (immutable.js symbols, etc.), not hidden payloads. ai
source-diff obfuscated-file:compiled/file-loader/index.js AI (source-diff): This package explicitly compiles/vendors deps into compiled/ per its compiledConfig. file-loader is listed as a bundled dep; minified output is expected and legitimate. ai
source-diff net-exec-file:compiled/file-loader/index.js AI (source-diff): Compiled vendor bundle for file-loader; network+exec pattern is from bundled webpack ecosystem code (ajv, URI.js), not malicious dropper behavior. ai
source-diff obfuscated-file:compiled/stylus-loader/index.js AI (source-diff): stylus-loader is explicitly listed in compiledConfig.deps; minified bundle is expected output of the build:deps script. ai
source-diff net-exec-file:compiled/stylus-loader/index.js AI (source-diff): Compiled vendor bundle for stylus-loader; code samples show fast-glob and filesystem utilities, not malicious network+exec patterns. ai
source-diff obfuscated-file:compiled/webpackbar/index.js AI (source-diff): webpackbar is explicitly listed in compiledConfig.deps; minified bundle is expected. Code sample shows chalk/ansi color utilities. ai
source-diff net-exec-file:compiled/webpackbar/index.js AI (source-diff): Compiled vendor bundle for webpackbar; network+exec pattern from bundled webpack progress bar code, not malicious. ai
publish-pattern new-deps-added AI (publish-pattern): New deps (react-refresh, fork-ts-checker-webpack-plugin, @umijs/case-sensitive-paths-webpack-plugin) are well-known legitimate webpack tooling packages appropriate for a webpack bundler package. ai
provenance publisher-changed AI (provenance): peachscript is a long-standing UmiJS org member (2243 days, 67 packages); transition from stormslowly occurred in 2022 and many subsequent versions published without incident. ai
phantom-deps phantom-dep:@types/hapi__joi AI (phantom-deps): Type-only package used by framework convention; not directly imported but legitimately declared as a dep for type resolution. ai
dependencies unvetted-dep:@umijs/babel-preset-umi AI (dependencies): First-party UmiJS monorepo sibling package, always published at the same version. Not a third-party unvetted dependency. ai
dependencies unvetted-dep:@umijs/bundler-utils AI (dependencies): First-party UmiJS monorepo sibling package, always published at the same version. Not a third-party unvetted dependency. ai
dependencies unvetted-dep:@umijs/mfsu AI (dependencies): First-party UmiJS monorepo sibling package, always published at the same version. Not a third-party unvetted dependency. ai
dependencies unvetted-dep:@umijs/utils AI (dependencies): First-party UmiJS monorepo sibling package, always published at the same version. Not a third-party unvetted dependency. ai
bogus-package bogus-package AI (bogus-package): Monorepo sub-package; sparse README/description/keywords is standard for UmiJS internal packages, not a spam indicator. ai
semgrep semgrep:hex-decode AI (semgrep): Fires on compiled file-loader bundle. Hex decoding in schema validation code is standard. ai
provenance no-provenance AI (provenance): Established UmiJS monorepo package; lack of Sigstore provenance is common for this ecosystem and not a risk signal here. ai
semgrep semgrep:child-process-import AI (semgrep): Fires on compiled webpack-bundle-analyzer. child_process is legitimately used to spawn the analyzer server. ai
semgrep semgrep:base64-decode AI (semgrep): Fires on compiled file-loader bundle. Base64 handling in file-loader/schema validation is standard. ai
semgrep semgrep:new-function-constructor AI (semgrep): Fires in css-minimizer-webpack-plugin for evaluating minifier options in a sandboxed context — documented upstream behavior, not malicious. ai
semgrep semgrep:eval-usage AI (semgrep): Fires in bundled webpackbar plugin — eval() in webpack plugin bundles is a known pattern, not malicious for this established package. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Fires in bundled speed-measure-webpack-plugin — Reflect.get() in compiled webpack plugin bundles is common and not indicative of malice. ai
semgrep semgrep:dynamic-require AI (semgrep): Fires in css-minimizer-webpack-plugin for loading optional minifier backends at runtime — expected plugin architecture. ai
semgrep semgrep:env-bulk-read AI (semgrep): Fires in bundled compression middleware — reading process.env is expected behavior for this well-known Express middleware. ai

Versions (showing 51 of 104)

View all versions
Version Deps Published
3.5.43 15 / 5
3.5.42 15 / 5
3.5.41 15 / 5
3.5.40 15 / 5
3.5.39 15 / 5
3.5.38 15 / 5
3.5.37 15 / 5
3.5.36 15 / 5
3.5.35 15 / 5
3.5.34 15 / 5
3.5.33 15 / 5
3.5.31 15 / 5
3.5.30 14 / 5
3.5.29 14 / 5
3.5.28 14 / 5
3.5.27 14 / 5
3.5.26 14 / 5
3.5.25 14 / 5
3.5.24 14 / 5
3.5.22 14 / 5
3.5.21 14 / 5
3.5.20 14 / 5
3.5.19 14 / 5
3.5.18 14 / 5
3.5.17 14 / 5
3.5.16 14 / 5
3.5.14 14 / 5
3.5.11 14 / 5
3.5.10 14 / 5
3.5.9 14 / 5
3.5.8 14 / 5
3.5.7 14 / 5
3.5.6 14 / 5
3.5.5 14 / 5
3.5.3 14 / 5
3.5.2 14 / 5
3.5.1 14 / 5
3.5.0 14 / 5
3.4.24 14 / 5
3.4.21 14 / 5
3.4.20 14 / 5
3.4.19 14 / 5
3.4.18 14 / 5
3.4.16 14 / 5
3.4.15 14 / 5
3.4.14 14 / 5
3.4.13 14 / 5
3.4.12 14 / 5
3.4.11 14 / 5
3.4.6 14 / 5
3.4.5 14 / 5

v3.5.43

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.42

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.40

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.39

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: stormslowly → peachscript (on 2023-03-31, known maintainer) provenance

This version was published by a different npm account (peachscript) than the most recent previously approved version (stormslowly) on 2023-03-31, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.38

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: peachscript → sorrycc (on 2023-03-15, known maintainer) provenance

This version was published by a different npm account (sorrycc) than the most recent previously approved version (peachscript) on 2023-03-15, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.37

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: peachscript → stormslowly (on 2023-02-16, known maintainer) provenance

This version was published by a different npm account (stormslowly) than the most recent previously approved version (peachscript) on 2023-02-16, but stormslowly is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.36

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: sorrycc → peachscript (on 2022-12-22, known maintainer) provenance

This version was published by a different npm account (peachscript) than the most recent previously approved version (sorrycc) on 2022-12-22, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.35

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.34

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: peachscript → sorrycc (on 2022-09-01, known maintainer) provenance

This version was published by a different npm account (sorrycc) than the most recent previously approved version (peachscript) on 2022-09-01, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.33

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: sorrycc → peachscript (on 2022-08-25, known maintainer) provenance

This version was published by a different npm account (peachscript) than the most recent previously approved version (sorrycc) on 2022-08-25, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.31

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: sorrycc → peachscript (on 2022-07-29, known maintainer) provenance

This version was published by a different npm account (peachscript) than the most recent previously approved version (sorrycc) on 2022-07-29, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.30

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: peachscript → sorrycc (on 2022-07-14, known maintainer) provenance

This version was published by a different npm account (sorrycc) than the most recent previously approved version (peachscript) on 2022-07-14, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.29

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: peachscript → sorrycc (on 2022-07-14, known maintainer) provenance

This version was published by a different npm account (sorrycc) than the most recent previously approved version (peachscript) on 2022-07-14, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.28

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: sorrycc → peachscript (on 2022-07-07, known maintainer) provenance

This version was published by a different npm account (peachscript) than the most recent previously approved version (sorrycc) on 2022-07-07, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.27

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.26

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.25

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: sorrycc → peachscript (on 2022-06-02, known maintainer) provenance

This version was published by a different npm account (peachscript) than the most recent previously approved version (sorrycc) on 2022-06-02, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.24

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.22

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.21

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.20

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.19

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.18

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.17

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.16

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.14

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.11

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.10

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.9

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.8

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.7

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.6

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.5

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.24

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.21

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.20

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: sorrycc → ycjcl868 (on 2021-05-11, known maintainer) provenance

This version was published by a different npm account (ycjcl868) than the most recent previously approved version (sorrycc) on 2021-05-11, but ycjcl868 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.4.19

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.18

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.16

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.15

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.14

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.13

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.12

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.11

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.6

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.5

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.