← Home

@umijs/bundler-webpack

@umijs/bundler-webpack

100
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

sorryccchenshuai2144kuitospeachscriptxiaohuoniyifankakaxixierenyuanxusd320zoomdong07

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff source-size-dropped AI (source-diff): Size drop explained by migration of deps into @umijs/deps compiled bundle; known UmiJS architectural pattern. ai
phantom-deps phantom-dep:webpack-sources AI (phantom-deps): Webpack sources referenced through plugin configuration, not direct imports. ai
phantom-deps phantom-dep:loader-utils AI (phantom-deps): Webpack bundler packages reference loader utilities through config; direct import not required. ai
phantom-deps phantom-dep:schema-utils AI (phantom-deps): Schema validation utilities referenced in webpack loader/plugin configs, not direct imports. ai
phantom-deps phantom-dep:normalize-url AI (phantom-deps): URL normalization referenced in webpack config; stable pattern for bundler packages. ai
source-diff obfuscated-file:bundled/webpackHotDevClient.js AI (source-diff): This is a pre-bundled webpack hot-reload client (webpackBootstrap pattern). Long lines are minified bundle output, not obfuscation. Stable for this package. ai
source-diff source-size-tripled AI (source-diff): Size increase is entirely explained by the addition of the pre-bundled webpackHotDevClient.js (798KB), a legitimate development artifact. ai
source-diff net-exec-file:bundled/webpackHotDevClient.js AI (source-diff): webpackHotDevClient legitimately uses WebSocket network calls and module hot-replacement (dynamic code execution). This is expected behavior for a webpack HMR client artifact. ai
source-diff obfuscated-file:lib/webpack/plugins/mini-css-extract-plugin/src/CssLoadingRuntimeModule.js AI (source-diff): File is standard Babel-transpiled output of vendored mini-css-extract-plugin code. Long lines are inlined Babel helpers, not obfuscation. This pattern is stable for this package's vendored webpack plugin files. ai
source-diff obfuscated-file:bundled/js/webpackHotDevClient.js AI (source-diff): This is webpack-bundled HMR dev client output, identifiable by the /******/ webpack bootstrap pattern. Legitimate build artifact for this bundler package; not obfuscated malware. ai
source-diff net-exec-file:bundled/js/webpackHotDevClient.js AI (source-diff): Network + code execution is expected in a webpack HMR client (WebSocket to dev server + hot module application). No malicious payload; standard webpack dev tooling. ai
phantom-deps phantom-dep:postcss AI (phantom-deps): Bundler plugin legitimately declares optional loader dependencies referenced in config; not directly imported by design. ai
phantom-deps phantom-dep:@types/webpack-dev-middleware AI (phantom-deps): Framework-scoped type package loaded by convention; phantom-dep is expected for build tools. ai
phantom-deps phantom-dep:@types/sockjs-client AI (phantom-deps): Framework-scoped type package loaded by convention; phantom-dep is expected for build tools. ai
phantom-deps phantom-dep:@types/webpack AI (phantom-deps): Framework-scoped type package loaded by convention; phantom-dep is expected for build tools. ai
phantom-deps phantom-dep:less-loader AI (phantom-deps): Bundler plugin legitimately declares optional loader dependencies referenced in config; not directly imported by design. ai
phantom-deps phantom-dep:@babel/core AI (phantom-deps): Framework-scoped package loaded by convention in bundler; phantom-dep is expected for build tools. ai
phantom-deps phantom-dep:less AI (phantom-deps): Bundler plugin legitimately declares optional loader dependencies referenced in config; not directly imported by design. ai
maintainer-change maintainer-removed AI (maintainer-change): Maintainer removals are consistent with team rotation in the UmiJS monorepo; no signs of hostile takeover. ai
maintainer-change maintainer-added AI (maintainer-change): UmiJS is a large open-source project with normal team rotation; new maintainers are consistent with ongoing project development. ai
source-diff encoded-string-file:compiled/webpack/index.js AI (source-diff): The encoded string is a WebAssembly binary (MD4 hash) passed to WebAssembly.Module(Buffer.from(...)). This is a standard, legitimate pattern for shipping WASM in bundled JS; not a malicious payload. ai
provenance missing-githead AI (provenance): Established UmiJS monorepo package published by original author sorrycc; missing gitHead is a CI environment change, not a malware indicator. ai
source-diff large-new-source-files AI (source-diff): Package explicitly vendors webpack-ecosystem deps into compiled/ directory per compiledConfig. New source files are expected with each addition to the bundled deps list. ai
source-diff encoded-string-file:compiled/sass-loader/index.js AI (source-diff): sass-loader is in compiledConfig.deps; long encoded strings in minified bundles are normal (immutable.js symbols, etc.), not hidden payloads. ai
source-diff obfuscated-file:compiled/file-loader/index.js AI (source-diff): This package explicitly compiles/vendors deps into compiled/ per its compiledConfig. file-loader is listed as a bundled dep; minified output is expected and legitimate. ai
source-diff net-exec-file:compiled/file-loader/index.js AI (source-diff): Compiled vendor bundle for file-loader; network+exec pattern is from bundled webpack ecosystem code (ajv, URI.js), not malicious dropper behavior. ai
source-diff obfuscated-file:compiled/stylus-loader/index.js AI (source-diff): stylus-loader is explicitly listed in compiledConfig.deps; minified bundle is expected output of the build:deps script. ai
source-diff net-exec-file:compiled/stylus-loader/index.js AI (source-diff): Compiled vendor bundle for stylus-loader; code samples show fast-glob and filesystem utilities, not malicious network+exec patterns. ai
source-diff obfuscated-file:compiled/webpackbar/index.js AI (source-diff): webpackbar is explicitly listed in compiledConfig.deps; minified bundle is expected. Code sample shows chalk/ansi color utilities. ai
source-diff net-exec-file:compiled/webpackbar/index.js AI (source-diff): Compiled vendor bundle for webpackbar; network+exec pattern from bundled webpack progress bar code, not malicious. ai
publish-pattern new-deps-added AI (publish-pattern): New deps (react-refresh, fork-ts-checker-webpack-plugin, @umijs/case-sensitive-paths-webpack-plugin) are well-known legitimate webpack tooling packages appropriate for a webpack bundler package. ai
provenance publisher-changed AI (provenance): peachscript is a long-standing UmiJS org member (2243 days, 67 packages); transition from stormslowly occurred in 2022 and many subsequent versions published without incident. ai
phantom-deps phantom-dep:@types/hapi__joi AI (phantom-deps): Type-only package used by framework convention; not directly imported but legitimately declared as a dep for type resolution. ai
dependencies unvetted-dep:@umijs/babel-preset-umi AI (dependencies): First-party UmiJS monorepo sibling package, always published at the same version. Not a third-party unvetted dependency. ai
dependencies unvetted-dep:@umijs/bundler-utils AI (dependencies): First-party UmiJS monorepo sibling package, always published at the same version. Not a third-party unvetted dependency. ai
dependencies unvetted-dep:@umijs/mfsu AI (dependencies): First-party UmiJS monorepo sibling package, always published at the same version. Not a third-party unvetted dependency. ai
dependencies unvetted-dep:@umijs/utils AI (dependencies): First-party UmiJS monorepo sibling package, always published at the same version. Not a third-party unvetted dependency. ai
bogus-package bogus-package AI (bogus-package): Monorepo sub-package; sparse README/description/keywords is standard for UmiJS internal packages, not a spam indicator. ai
semgrep semgrep:hex-decode AI (semgrep): Fires on compiled file-loader bundle. Hex decoding in schema validation code is standard. ai
provenance no-provenance AI (provenance): Established UmiJS monorepo package; lack of Sigstore provenance is common for this ecosystem and not a risk signal here. ai
semgrep semgrep:child-process-import AI (semgrep): Fires on compiled webpack-bundle-analyzer. child_process is legitimately used to spawn the analyzer server. ai
semgrep semgrep:base64-decode AI (semgrep): Fires on compiled file-loader bundle. Base64 handling in file-loader/schema validation is standard. ai
semgrep semgrep:new-function-constructor AI (semgrep): Fires in css-minimizer-webpack-plugin for evaluating minifier options in a sandboxed context — documented upstream behavior, not malicious. ai
semgrep semgrep:eval-usage AI (semgrep): Fires in bundled webpackbar plugin — eval() in webpack plugin bundles is a known pattern, not malicious for this established package. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Fires in bundled speed-measure-webpack-plugin — Reflect.get() in compiled webpack plugin bundles is common and not indicative of malice. ai
semgrep semgrep:dynamic-require AI (semgrep): Fires in css-minimizer-webpack-plugin for loading optional minifier backends at runtime — expected plugin architecture. ai
semgrep semgrep:env-bulk-read AI (semgrep): Fires in bundled compression middleware — reading process.env is expected behavior for this well-known Express middleware. ai

Versions (showing 100 of 104)

Version Deps Published
3.5.43 15 / 5
3.5.42 15 / 5
3.5.41 15 / 5
3.5.40 15 / 5
3.5.39 15 / 5
3.5.38 15 / 5
3.5.37 15 / 5
3.5.36 15 / 5
3.5.35 15 / 5
3.5.34 15 / 5
3.5.33 15 / 5
3.5.31 15 / 5
3.5.30 14 / 5
3.5.29 14 / 5
3.5.28 14 / 5
3.5.27 14 / 5
3.5.26 14 / 5
3.5.25 14 / 5
3.5.24 14 / 5
3.5.22 14 / 5
3.5.21 14 / 5
3.5.20 14 / 5
3.5.19 14 / 5
3.5.18 14 / 5
3.5.17 14 / 5
3.5.16 14 / 5
3.5.14 14 / 5
3.5.11 14 / 5
3.5.10 14 / 5
3.5.9 14 / 5
3.5.8 14 / 5
3.5.7 14 / 5
3.5.6 14 / 5
3.5.5 14 / 5
3.5.3 14 / 5
3.5.2 14 / 5
3.5.1 14 / 5
3.5.0 14 / 5
3.4.24 14 / 5
3.4.21 14 / 5
3.4.20 14 / 5
3.4.19 14 / 5
3.4.18 14 / 5
3.4.16 14 / 5
3.4.15 14 / 5
3.4.14 14 / 5
3.4.13 14 / 5
3.4.12 14 / 5
3.4.11 14 / 5
3.4.6 14 / 5
3.4.5 14 / 5
3.4.4 14 / 5
3.4.3 14 / 5
3.4.2 14 / 5
3.4.1 14 / 5
3.4.0 14 / 5
3.3.14 40 / 1
3.3.12 40 / 1
3.3.11 40 / 1
3.3.10 40 / 1
3.3.9 40 / 1
3.3.8 40 / 1
3.3.4 40 / 1
3.3.3 40 / 1
3.3.2 40 / 1
3.3.1 40 / 1
3.3.0 40 / 1
3.2.28 39 / 1
3.2.27 39 / 1
3.2.26 39 / 1
3.2.25 39 / 1
3.2.24 39 / 1
3.2.23 39 / 1
3.2.22 39 / 1
3.2.21 39 / 0
3.2.20 39 / 0
3.2.19 39 / 0
3.2.18 36 / 0
3.2.17 35 / 0
3.2.16 34 / 0
3.2.15 34 / 0
3.2.14 34 / 0
3.2.13 34 / 0
3.2.11 34 / 0
3.2.10 34 / 0
3.2.9 34 / 0
3.2.7 34 / 0
3.2.6 34 / 0
3.2.5 34 / 0
3.2.4 34 / 0
3.2.2 34 / 0
3.2.1 34 / 0
3.2.0 34 / 0
3.1.3 34 / 0
3.0.17 33 / 0
3.0.15 33 / 0
3.0.12 33 / 0
3.0.11 33 / 0
3.0.9 33 / 0
3.0.8 33 / 0
Showing 100 of 104 Next page →

v3.5.43

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.42

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.40

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.39

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: stormslowly → peachscript (on 2023-03-31, known maintainer) provenance

This version was published by a different npm account (peachscript) than the most recent previously approved version (stormslowly) on 2023-03-31, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.38

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: peachscript → sorrycc (on 2023-03-15, known maintainer) provenance

This version was published by a different npm account (sorrycc) than the most recent previously approved version (peachscript) on 2023-03-15, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.37

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: peachscript → stormslowly (on 2023-02-16, known maintainer) provenance

This version was published by a different npm account (stormslowly) than the most recent previously approved version (peachscript) on 2023-02-16, but stormslowly is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.36

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: sorrycc → peachscript (on 2022-12-22, known maintainer) provenance

This version was published by a different npm account (peachscript) than the most recent previously approved version (sorrycc) on 2022-12-22, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.35

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.34

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: peachscript → sorrycc (on 2022-09-01, known maintainer) provenance

This version was published by a different npm account (sorrycc) than the most recent previously approved version (peachscript) on 2022-09-01, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.33

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: sorrycc → peachscript (on 2022-08-25, known maintainer) provenance

This version was published by a different npm account (peachscript) than the most recent previously approved version (sorrycc) on 2022-08-25, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.31

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: sorrycc → peachscript (on 2022-07-29, known maintainer) provenance

This version was published by a different npm account (peachscript) than the most recent previously approved version (sorrycc) on 2022-07-29, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.30

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: peachscript → sorrycc (on 2022-07-14, known maintainer) provenance

This version was published by a different npm account (sorrycc) than the most recent previously approved version (peachscript) on 2022-07-14, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.29

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: peachscript → sorrycc (on 2022-07-14, known maintainer) provenance

This version was published by a different npm account (sorrycc) than the most recent previously approved version (peachscript) on 2022-07-14, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.28

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: sorrycc → peachscript (on 2022-07-07, known maintainer) provenance

This version was published by a different npm account (peachscript) than the most recent previously approved version (sorrycc) on 2022-07-07, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.27

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.26

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.25

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: sorrycc → peachscript (on 2022-06-02, known maintainer) provenance

This version was published by a different npm account (peachscript) than the most recent previously approved version (sorrycc) on 2022-06-02, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.5.24

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.22

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.21

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.20

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.19

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.18

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.17

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.16

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.14

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.11

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.10

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.9

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.8

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.7

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.6

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.5

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.24

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.21

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.20

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: sorrycc → ycjcl868 (on 2021-05-11, known maintainer) provenance

This version was published by a different npm account (ycjcl868) than the most recent previously approved version (sorrycc) on 2021-05-11, but ycjcl868 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.4.19

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.18

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.16

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.15

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.14

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.13

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.12

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.11

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.6

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.5

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.1

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: ycjcl868 → sorrycc (on 2021-03-11, known maintainer) provenance

This version was published by a different npm account (sorrycc) than the most recent previously approved version (ycjcl868) on 2021-03-11, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.4.0

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: ycjcl868 → sorrycc (on 2021-03-09, known maintainer) provenance

This version was published by a different npm account (sorrycc) than the most recent previously approved version (ycjcl868) on 2021-03-09, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.3.14

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.12

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.11

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.10

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.9

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: sorrycc → ycjcl868 (on 2021-02-23, known maintainer) provenance

This version was published by a different npm account (ycjcl868) than the most recent previously approved version (sorrycc) on 2021-02-23, but ycjcl868 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.3.8

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.4

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: ycjcl868 → sorrycc (on 2021-01-08, known maintainer) provenance

This version was published by a different npm account (sorrycc) than the most recent previously approved version (ycjcl868) on 2021-01-08, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.3.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.28

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.27

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.26

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: sorrycc → ycjcl868 (on 2020-11-06, known maintainer) provenance

This version was published by a different npm account (ycjcl868) than the most recent previously approved version (sorrycc) on 2020-11-06, but ycjcl868 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.2.25

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.24

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.23

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: sorrycc → ycjcl868 (on 2020-10-09, known maintainer) provenance

This version was published by a different npm account (ycjcl868) than the most recent previously approved version (sorrycc) on 2020-10-09, but ycjcl868 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.2.22

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.21

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.20

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.19

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.18

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.17

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.16

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.15

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: ycjcl868 → sorrycc (on 2020-08-14, known maintainer) provenance

This version was published by a different npm account (sorrycc) than the most recent previously approved version (ycjcl868) on 2020-08-14, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.2.14

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.13

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.11

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.10

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: sorrycc → ycjcl868 (on 2020-07-15, known maintainer) provenance

This version was published by a different npm account (ycjcl868) than the most recent previously approved version (sorrycc) on 2020-07-15, but ycjcl868 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.2.9

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.7

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: ycjcl868 → sorrycc (on 2020-07-01, known maintainer) provenance

This version was published by a different npm account (sorrycc) than the most recent previously approved version (ycjcl868) on 2020-07-01, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.2.6

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: ycjcl868 → sorrycc (on 2020-06-28, known maintainer) provenance

This version was published by a different npm account (sorrycc) than the most recent previously approved version (ycjcl868) on 2020-06-28, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.2.5

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.0

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: sorrycc → ycjcl868 (on 2020-05-19, known maintainer) provenance

This version was published by a different npm account (ycjcl868) than the most recent previously approved version (sorrycc) on 2020-05-19, but ycjcl868 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v3.1.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.17

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.15

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.12

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.11

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.9

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.8

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.