@umijs/bundler-webpack
@umijs/bundler-webpack
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-dropped | AI (source-diff): Size drop explained by migration of deps into @umijs/deps compiled bundle; known UmiJS architectural pattern. | ai | |
| phantom-deps | phantom-dep:webpack-sources | AI (phantom-deps): Webpack sources referenced through plugin configuration, not direct imports. | ai | |
| phantom-deps | phantom-dep:loader-utils | AI (phantom-deps): Webpack bundler packages reference loader utilities through config; direct import not required. | ai | |
| phantom-deps | phantom-dep:schema-utils | AI (phantom-deps): Schema validation utilities referenced in webpack loader/plugin configs, not direct imports. | ai | |
| phantom-deps | phantom-dep:normalize-url | AI (phantom-deps): URL normalization referenced in webpack config; stable pattern for bundler packages. | ai | |
| source-diff | obfuscated-file:bundled/webpackHotDevClient.js | AI (source-diff): This is a pre-bundled webpack hot-reload client (webpackBootstrap pattern). Long lines are minified bundle output, not obfuscation. Stable for this package. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is entirely explained by the addition of the pre-bundled webpackHotDevClient.js (798KB), a legitimate development artifact. | ai | |
| source-diff | net-exec-file:bundled/webpackHotDevClient.js | AI (source-diff): webpackHotDevClient legitimately uses WebSocket network calls and module hot-replacement (dynamic code execution). This is expected behavior for a webpack HMR client artifact. | ai | |
| source-diff | obfuscated-file:lib/webpack/plugins/mini-css-extract-plugin/src/CssLoadingRuntimeModule.js | AI (source-diff): File is standard Babel-transpiled output of vendored mini-css-extract-plugin code. Long lines are inlined Babel helpers, not obfuscation. This pattern is stable for this package's vendored webpack plugin files. | ai | |
| source-diff | obfuscated-file:bundled/js/webpackHotDevClient.js | AI (source-diff): This is webpack-bundled HMR dev client output, identifiable by the /******/ webpack bootstrap pattern. Legitimate build artifact for this bundler package; not obfuscated malware. | ai | |
| source-diff | net-exec-file:bundled/js/webpackHotDevClient.js | AI (source-diff): Network + code execution is expected in a webpack HMR client (WebSocket to dev server + hot module application). No malicious payload; standard webpack dev tooling. | ai | |
| phantom-deps | phantom-dep:postcss | AI (phantom-deps): Bundler plugin legitimately declares optional loader dependencies referenced in config; not directly imported by design. | ai | |
| phantom-deps | phantom-dep:@types/webpack-dev-middleware | AI (phantom-deps): Framework-scoped type package loaded by convention; phantom-dep is expected for build tools. | ai | |
| phantom-deps | phantom-dep:@types/sockjs-client | AI (phantom-deps): Framework-scoped type package loaded by convention; phantom-dep is expected for build tools. | ai | |
| phantom-deps | phantom-dep:@types/webpack | AI (phantom-deps): Framework-scoped type package loaded by convention; phantom-dep is expected for build tools. | ai | |
| phantom-deps | phantom-dep:less-loader | AI (phantom-deps): Bundler plugin legitimately declares optional loader dependencies referenced in config; not directly imported by design. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Framework-scoped package loaded by convention in bundler; phantom-dep is expected for build tools. | ai | |
| phantom-deps | phantom-dep:less | AI (phantom-deps): Bundler plugin legitimately declares optional loader dependencies referenced in config; not directly imported by design. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer removals are consistent with team rotation in the UmiJS monorepo; no signs of hostile takeover. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): UmiJS is a large open-source project with normal team rotation; new maintainers are consistent with ongoing project development. | ai | |
| source-diff | encoded-string-file:compiled/webpack/index.js | AI (source-diff): The encoded string is a WebAssembly binary (MD4 hash) passed to WebAssembly.Module(Buffer.from(...)). This is a standard, legitimate pattern for shipping WASM in bundled JS; not a malicious payload. | ai | |
| provenance | missing-githead | AI (provenance): Established UmiJS monorepo package published by original author sorrycc; missing gitHead is a CI environment change, not a malware indicator. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Package explicitly vendors webpack-ecosystem deps into compiled/ directory per compiledConfig. New source files are expected with each addition to the bundled deps list. | ai | |
| source-diff | encoded-string-file:compiled/sass-loader/index.js | AI (source-diff): sass-loader is in compiledConfig.deps; long encoded strings in minified bundles are normal (immutable.js symbols, etc.), not hidden payloads. | ai | |
| source-diff | obfuscated-file:compiled/file-loader/index.js | AI (source-diff): This package explicitly compiles/vendors deps into compiled/ per its compiledConfig. file-loader is listed as a bundled dep; minified output is expected and legitimate. | ai | |
| source-diff | net-exec-file:compiled/file-loader/index.js | AI (source-diff): Compiled vendor bundle for file-loader; network+exec pattern is from bundled webpack ecosystem code (ajv, URI.js), not malicious dropper behavior. | ai | |
| source-diff | obfuscated-file:compiled/stylus-loader/index.js | AI (source-diff): stylus-loader is explicitly listed in compiledConfig.deps; minified bundle is expected output of the build:deps script. | ai | |
| source-diff | net-exec-file:compiled/stylus-loader/index.js | AI (source-diff): Compiled vendor bundle for stylus-loader; code samples show fast-glob and filesystem utilities, not malicious network+exec patterns. | ai | |
| source-diff | obfuscated-file:compiled/webpackbar/index.js | AI (source-diff): webpackbar is explicitly listed in compiledConfig.deps; minified bundle is expected. Code sample shows chalk/ansi color utilities. | ai | |
| source-diff | net-exec-file:compiled/webpackbar/index.js | AI (source-diff): Compiled vendor bundle for webpackbar; network+exec pattern from bundled webpack progress bar code, not malicious. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps (react-refresh, fork-ts-checker-webpack-plugin, @umijs/case-sensitive-paths-webpack-plugin) are well-known legitimate webpack tooling packages appropriate for a webpack bundler package. | ai | |
| provenance | publisher-changed | AI (provenance): peachscript is a long-standing UmiJS org member (2243 days, 67 packages); transition from stormslowly occurred in 2022 and many subsequent versions published without incident. | ai | |
| phantom-deps | phantom-dep:@types/hapi__joi | AI (phantom-deps): Type-only package used by framework convention; not directly imported but legitimately declared as a dep for type resolution. | ai | |
| dependencies | unvetted-dep:@umijs/babel-preset-umi | AI (dependencies): First-party UmiJS monorepo sibling package, always published at the same version. Not a third-party unvetted dependency. | ai | |
| dependencies | unvetted-dep:@umijs/bundler-utils | AI (dependencies): First-party UmiJS monorepo sibling package, always published at the same version. Not a third-party unvetted dependency. | ai | |
| dependencies | unvetted-dep:@umijs/mfsu | AI (dependencies): First-party UmiJS monorepo sibling package, always published at the same version. Not a third-party unvetted dependency. | ai | |
| dependencies | unvetted-dep:@umijs/utils | AI (dependencies): First-party UmiJS monorepo sibling package, always published at the same version. Not a third-party unvetted dependency. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Monorepo sub-package; sparse README/description/keywords is standard for UmiJS internal packages, not a spam indicator. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Fires on compiled file-loader bundle. Hex decoding in schema validation code is standard. | ai | |
| provenance | no-provenance | AI (provenance): Established UmiJS monorepo package; lack of Sigstore provenance is common for this ecosystem and not a risk signal here. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Fires on compiled webpack-bundle-analyzer. child_process is legitimately used to spawn the analyzer server. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Fires on compiled file-loader bundle. Base64 handling in file-loader/schema validation is standard. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Fires in css-minimizer-webpack-plugin for evaluating minifier options in a sandboxed context — documented upstream behavior, not malicious. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): Fires in bundled webpackbar plugin — eval() in webpack plugin bundles is a known pattern, not malicious for this established package. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Fires in bundled speed-measure-webpack-plugin — Reflect.get() in compiled webpack plugin bundles is common and not indicative of malice. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Fires in css-minimizer-webpack-plugin for loading optional minifier backends at runtime — expected plugin architecture. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Fires in bundled compression middleware — reading process.env is expected behavior for this well-known Express middleware. | ai |
Versions (showing 100 of 104)
| Version | Deps | Published |
|---|---|---|
| 3.5.43 | 15 / 5 | |
| 3.5.42 | 15 / 5 | |
| 3.5.41 | 15 / 5 | |
| 3.5.40 | 15 / 5 | |
| 3.5.39 | 15 / 5 | |
| 3.5.38 | 15 / 5 | |
| 3.5.37 | 15 / 5 | |
| 3.5.36 | 15 / 5 | |
| 3.5.35 | 15 / 5 | |
| 3.5.34 | 15 / 5 | |
| 3.5.33 | 15 / 5 | |
| 3.5.31 | 15 / 5 | |
| 3.5.30 | 14 / 5 | |
| 3.5.29 | 14 / 5 | |
| 3.5.28 | 14 / 5 | |
| 3.5.27 | 14 / 5 | |
| 3.5.26 | 14 / 5 | |
| 3.5.25 | 14 / 5 | |
| 3.5.24 | 14 / 5 | |
| 3.5.22 | 14 / 5 | |
| 3.5.21 | 14 / 5 | |
| 3.5.20 | 14 / 5 | |
| 3.5.19 | 14 / 5 | |
| 3.5.18 | 14 / 5 | |
| 3.5.17 | 14 / 5 | |
| 3.5.16 | 14 / 5 | |
| 3.5.14 | 14 / 5 | |
| 3.5.11 | 14 / 5 | |
| 3.5.10 | 14 / 5 | |
| 3.5.9 | 14 / 5 | |
| 3.5.8 | 14 / 5 | |
| 3.5.7 | 14 / 5 | |
| 3.5.6 | 14 / 5 | |
| 3.5.5 | 14 / 5 | |
| 3.5.3 | 14 / 5 | |
| 3.5.2 | 14 / 5 | |
| 3.5.1 | 14 / 5 | |
| 3.5.0 | 14 / 5 | |
| 3.4.24 | 14 / 5 | |
| 3.4.21 | 14 / 5 | |
| 3.4.20 | 14 / 5 | |
| 3.4.19 | 14 / 5 | |
| 3.4.18 | 14 / 5 | |
| 3.4.16 | 14 / 5 | |
| 3.4.15 | 14 / 5 | |
| 3.4.14 | 14 / 5 | |
| 3.4.13 | 14 / 5 | |
| 3.4.12 | 14 / 5 | |
| 3.4.11 | 14 / 5 | |
| 3.4.6 | 14 / 5 | |
| 3.4.5 | 14 / 5 | |
| 3.4.4 | 14 / 5 | |
| 3.4.3 | 14 / 5 | |
| 3.4.2 | 14 / 5 | |
| 3.4.1 | 14 / 5 | |
| 3.4.0 | 14 / 5 | |
| 3.3.14 | 40 / 1 | |
| 3.3.12 | 40 / 1 | |
| 3.3.11 | 40 / 1 | |
| 3.3.10 | 40 / 1 | |
| 3.3.9 | 40 / 1 | |
| 3.3.8 | 40 / 1 | |
| 3.3.4 | 40 / 1 | |
| 3.3.3 | 40 / 1 | |
| 3.3.2 | 40 / 1 | |
| 3.3.1 | 40 / 1 | |
| 3.3.0 | 40 / 1 | |
| 3.2.28 | 39 / 1 | |
| 3.2.27 | 39 / 1 | |
| 3.2.26 | 39 / 1 | |
| 3.2.25 | 39 / 1 | |
| 3.2.24 | 39 / 1 | |
| 3.2.23 | 39 / 1 | |
| 3.2.22 | 39 / 1 | |
| 3.2.21 | 39 / 0 | |
| 3.2.20 | 39 / 0 | |
| 3.2.19 | 39 / 0 | |
| 3.2.18 | 36 / 0 | |
| 3.2.17 | 35 / 0 | |
| 3.2.16 | 34 / 0 | |
| 3.2.15 | 34 / 0 | |
| 3.2.14 | 34 / 0 | |
| 3.2.13 | 34 / 0 | |
| 3.2.11 | 34 / 0 | |
| 3.2.10 | 34 / 0 | |
| 3.2.9 | 34 / 0 | |
| 3.2.7 | 34 / 0 | |
| 3.2.6 | 34 / 0 | |
| 3.2.5 | 34 / 0 | |
| 3.2.4 | 34 / 0 | |
| 3.2.2 | 34 / 0 | |
| 3.2.1 | 34 / 0 | |
| 3.2.0 | 34 / 0 | |
| 3.1.3 | 34 / 0 | |
| 3.0.17 | 33 / 0 | |
| 3.0.15 | 33 / 0 | |
| 3.0.12 | 33 / 0 | |
| 3.0.11 | 33 / 0 | |
| 3.0.9 | 33 / 0 | |
| 3.0.8 | 33 / 0 |
v3.5.43
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.42
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.40
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.39
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (peachscript) than the most recent previously approved version (stormslowly) on 2023-03-31, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.5.38
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (sorrycc) than the most recent previously approved version (peachscript) on 2023-03-15, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.5.37
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (stormslowly) than the most recent previously approved version (peachscript) on 2023-02-16, but stormslowly is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.5.36
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (peachscript) than the most recent previously approved version (sorrycc) on 2022-12-22, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.5.35
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.34
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (sorrycc) than the most recent previously approved version (peachscript) on 2022-09-01, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.5.33
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (peachscript) than the most recent previously approved version (sorrycc) on 2022-08-25, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.5.31
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (peachscript) than the most recent previously approved version (sorrycc) on 2022-07-29, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.5.30
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (sorrycc) than the most recent previously approved version (peachscript) on 2022-07-14, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.5.29
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (sorrycc) than the most recent previously approved version (peachscript) on 2022-07-14, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.5.28
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (peachscript) than the most recent previously approved version (sorrycc) on 2022-07-07, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.5.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.25
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (peachscript) than the most recent previously approved version (sorrycc) on 2022-06-02, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.5.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.20
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ycjcl868) than the most recent previously approved version (sorrycc) on 2021-05-11, but ycjcl868 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.4.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (sorrycc) than the most recent previously approved version (ycjcl868) on 2021-03-11, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.4.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (sorrycc) than the most recent previously approved version (ycjcl868) on 2021-03-09, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.3.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.9
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ycjcl868) than the most recent previously approved version (sorrycc) on 2021-02-23, but ycjcl868 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.3.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (sorrycc) than the most recent previously approved version (ycjcl868) on 2021-01-08, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.28
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.26
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ycjcl868) than the most recent previously approved version (sorrycc) on 2020-11-06, but ycjcl868 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.2.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.23
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ycjcl868) than the most recent previously approved version (sorrycc) on 2020-10-09, but ycjcl868 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.2.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.15
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (sorrycc) than the most recent previously approved version (ycjcl868) on 2020-08-14, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.2.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.10
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ycjcl868) than the most recent previously approved version (sorrycc) on 2020-07-15, but ycjcl868 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.2.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.7
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (sorrycc) than the most recent previously approved version (ycjcl868) on 2020-07-01, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.2.6
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (sorrycc) than the most recent previously approved version (ycjcl868) on 2020-06-28, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.2.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ycjcl868) than the most recent previously approved version (sorrycc) on 2020-05-19, but ycjcl868 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.