← Home

@umijs/bundler-webpack

@umijs/bundler-webpack

4
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

sorryccchenshuai2144kuitospeachscriptxiaohuoniyifankakaxixierenyuanxusd320zoomdong07

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff source-size-dropped AI (source-diff): Size drop explained by migration of deps into @umijs/deps compiled bundle; known UmiJS architectural pattern. ai
phantom-deps phantom-dep:webpack-sources AI (phantom-deps): Webpack sources referenced through plugin configuration, not direct imports. ai
phantom-deps phantom-dep:loader-utils AI (phantom-deps): Webpack bundler packages reference loader utilities through config; direct import not required. ai
phantom-deps phantom-dep:schema-utils AI (phantom-deps): Schema validation utilities referenced in webpack loader/plugin configs, not direct imports. ai
phantom-deps phantom-dep:normalize-url AI (phantom-deps): URL normalization referenced in webpack config; stable pattern for bundler packages. ai
source-diff obfuscated-file:bundled/webpackHotDevClient.js AI (source-diff): This is a pre-bundled webpack hot-reload client (webpackBootstrap pattern). Long lines are minified bundle output, not obfuscation. Stable for this package. ai
source-diff source-size-tripled AI (source-diff): Size increase is entirely explained by the addition of the pre-bundled webpackHotDevClient.js (798KB), a legitimate development artifact. ai
source-diff net-exec-file:bundled/webpackHotDevClient.js AI (source-diff): webpackHotDevClient legitimately uses WebSocket network calls and module hot-replacement (dynamic code execution). This is expected behavior for a webpack HMR client artifact. ai
source-diff obfuscated-file:lib/webpack/plugins/mini-css-extract-plugin/src/CssLoadingRuntimeModule.js AI (source-diff): File is standard Babel-transpiled output of vendored mini-css-extract-plugin code. Long lines are inlined Babel helpers, not obfuscation. This pattern is stable for this package's vendored webpack plugin files. ai
source-diff obfuscated-file:bundled/js/webpackHotDevClient.js AI (source-diff): This is webpack-bundled HMR dev client output, identifiable by the /******/ webpack bootstrap pattern. Legitimate build artifact for this bundler package; not obfuscated malware. ai
source-diff net-exec-file:bundled/js/webpackHotDevClient.js AI (source-diff): Network + code execution is expected in a webpack HMR client (WebSocket to dev server + hot module application). No malicious payload; standard webpack dev tooling. ai
phantom-deps phantom-dep:postcss AI (phantom-deps): Bundler plugin legitimately declares optional loader dependencies referenced in config; not directly imported by design. ai
phantom-deps phantom-dep:@types/webpack-dev-middleware AI (phantom-deps): Framework-scoped type package loaded by convention; phantom-dep is expected for build tools. ai
phantom-deps phantom-dep:@types/sockjs-client AI (phantom-deps): Framework-scoped type package loaded by convention; phantom-dep is expected for build tools. ai
phantom-deps phantom-dep:@types/webpack AI (phantom-deps): Framework-scoped type package loaded by convention; phantom-dep is expected for build tools. ai
phantom-deps phantom-dep:less-loader AI (phantom-deps): Bundler plugin legitimately declares optional loader dependencies referenced in config; not directly imported by design. ai
phantom-deps phantom-dep:@babel/core AI (phantom-deps): Framework-scoped package loaded by convention in bundler; phantom-dep is expected for build tools. ai
phantom-deps phantom-dep:less AI (phantom-deps): Bundler plugin legitimately declares optional loader dependencies referenced in config; not directly imported by design. ai
maintainer-change maintainer-removed AI (maintainer-change): Maintainer removals are consistent with team rotation in the UmiJS monorepo; no signs of hostile takeover. ai
maintainer-change maintainer-added AI (maintainer-change): UmiJS is a large open-source project with normal team rotation; new maintainers are consistent with ongoing project development. ai
source-diff encoded-string-file:compiled/webpack/index.js AI (source-diff): The encoded string is a WebAssembly binary (MD4 hash) passed to WebAssembly.Module(Buffer.from(...)). This is a standard, legitimate pattern for shipping WASM in bundled JS; not a malicious payload. ai
provenance missing-githead AI (provenance): Established UmiJS monorepo package published by original author sorrycc; missing gitHead is a CI environment change, not a malware indicator. ai
source-diff large-new-source-files AI (source-diff): Package explicitly vendors webpack-ecosystem deps into compiled/ directory per compiledConfig. New source files are expected with each addition to the bundled deps list. ai
source-diff encoded-string-file:compiled/sass-loader/index.js AI (source-diff): sass-loader is in compiledConfig.deps; long encoded strings in minified bundles are normal (immutable.js symbols, etc.), not hidden payloads. ai
source-diff obfuscated-file:compiled/file-loader/index.js AI (source-diff): This package explicitly compiles/vendors deps into compiled/ per its compiledConfig. file-loader is listed as a bundled dep; minified output is expected and legitimate. ai
source-diff net-exec-file:compiled/file-loader/index.js AI (source-diff): Compiled vendor bundle for file-loader; network+exec pattern is from bundled webpack ecosystem code (ajv, URI.js), not malicious dropper behavior. ai
source-diff obfuscated-file:compiled/stylus-loader/index.js AI (source-diff): stylus-loader is explicitly listed in compiledConfig.deps; minified bundle is expected output of the build:deps script. ai
source-diff net-exec-file:compiled/stylus-loader/index.js AI (source-diff): Compiled vendor bundle for stylus-loader; code samples show fast-glob and filesystem utilities, not malicious network+exec patterns. ai
source-diff obfuscated-file:compiled/webpackbar/index.js AI (source-diff): webpackbar is explicitly listed in compiledConfig.deps; minified bundle is expected. Code sample shows chalk/ansi color utilities. ai
source-diff net-exec-file:compiled/webpackbar/index.js AI (source-diff): Compiled vendor bundle for webpackbar; network+exec pattern from bundled webpack progress bar code, not malicious. ai
publish-pattern new-deps-added AI (publish-pattern): New deps (react-refresh, fork-ts-checker-webpack-plugin, @umijs/case-sensitive-paths-webpack-plugin) are well-known legitimate webpack tooling packages appropriate for a webpack bundler package. ai
provenance publisher-changed AI (provenance): peachscript is a long-standing UmiJS org member (2243 days, 67 packages); transition from stormslowly occurred in 2022 and many subsequent versions published without incident. ai
phantom-deps phantom-dep:@types/hapi__joi AI (phantom-deps): Type-only package used by framework convention; not directly imported but legitimately declared as a dep for type resolution. ai
dependencies unvetted-dep:@umijs/babel-preset-umi AI (dependencies): First-party UmiJS monorepo sibling package, always published at the same version. Not a third-party unvetted dependency. ai
dependencies unvetted-dep:@umijs/bundler-utils AI (dependencies): First-party UmiJS monorepo sibling package, always published at the same version. Not a third-party unvetted dependency. ai
dependencies unvetted-dep:@umijs/mfsu AI (dependencies): First-party UmiJS monorepo sibling package, always published at the same version. Not a third-party unvetted dependency. ai
dependencies unvetted-dep:@umijs/utils AI (dependencies): First-party UmiJS monorepo sibling package, always published at the same version. Not a third-party unvetted dependency. ai
bogus-package bogus-package AI (bogus-package): Monorepo sub-package; sparse README/description/keywords is standard for UmiJS internal packages, not a spam indicator. ai
semgrep semgrep:hex-decode AI (semgrep): Fires on compiled file-loader bundle. Hex decoding in schema validation code is standard. ai
provenance no-provenance AI (provenance): Established UmiJS monorepo package; lack of Sigstore provenance is common for this ecosystem and not a risk signal here. ai
semgrep semgrep:child-process-import AI (semgrep): Fires on compiled webpack-bundle-analyzer. child_process is legitimately used to spawn the analyzer server. ai
semgrep semgrep:base64-decode AI (semgrep): Fires on compiled file-loader bundle. Base64 handling in file-loader/schema validation is standard. ai
semgrep semgrep:new-function-constructor AI (semgrep): Fires in css-minimizer-webpack-plugin for evaluating minifier options in a sandboxed context — documented upstream behavior, not malicious. ai
semgrep semgrep:eval-usage AI (semgrep): Fires in bundled webpackbar plugin — eval() in webpack plugin bundles is a known pattern, not malicious for this established package. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Fires in bundled speed-measure-webpack-plugin — Reflect.get() in compiled webpack plugin bundles is common and not indicative of malice. ai
semgrep semgrep:dynamic-require AI (semgrep): Fires in css-minimizer-webpack-plugin for loading optional minifier backends at runtime — expected plugin architecture. ai
semgrep semgrep:env-bulk-read AI (semgrep): Fires in bundled compression middleware — reading process.env is expected behavior for this well-known Express middleware. ai

Versions (showing 4 of 104)

Version Deps Published
3.0.7 33 / 0
3.0.6 33 / 0
3.0.3 32 / 0
3.0.2 32 / 0

v3.0.7

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.6

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.