← Home

father

A bundless/bundle build tool

79
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

sorryccstormslowlypopomorepeachscriptzombiejchenshuai2144yifankakaxizoomdong07

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:sass-loader AI (phantom-deps): Referenced via config, expected for storybook/docz tooling. ai
source-diff source-size-tripled AI (source-diff): Explained by bundled vendor test fixtures for new doc feature. ai
source-diff large-new-source-files AI (source-diff): New Storybook/docz doc-generation feature adds fixtures/tests, not malicious code. ai
source-diff net-exec-file:src/fixtures/doc/normal/.doc/static/js/vendors.27f5d684.js AI (source-diff): Bundled webpack vendor chunk in test fixtures, not injected payload. ai
source-diff net-exec-file:src/fixtures/doc/css-modules/.doc/static/js/vendors.27f5d684.js AI (source-diff): Bundled webpack vendor chunk in test fixtures, not injected payload. ai
source-diff net-exec-file:src/fixtures/doc/config-theme/.doc/static/js/vendors.27f5d684.js AI (source-diff): Bundled webpack vendor chunk in test fixtures, not injected payload. ai
source-diff net-exec-file:src/fixtures/doc/babel-extra-babel-presets-and-plugins/.doc/static/js/vendors.27f5d684.js AI (source-diff): Bundled webpack vendor chunk in test fixtures, not injected payload. ai
provenance publisher-changed AI (provenance): Change is to CI/CD-attested GitHub Actions publish, resolving prior manual-publisher concern. ai
phantom-deps phantom-dep:@storybook/cli AI (phantom-deps): Config-referenced tooling dep, not code-imported; expected for this build toolkit. ai
semgrep semgrep:child-process-import AI (semgrep): Used by docz doc-generation module, not toward an external destination. ai
publish-pattern new-deps-added AI (publish-pattern): babel-plugin-styled-components is a well-known legitimate Babel plugin; its addition to a bundler/build tool is expected and benign. ai
semgrep semgrep:dynamic-require AI (semgrep): father is a package parser; dynamic require of package.json files by path is core to its functionality, not a security risk. ai
phantom-deps phantom-dep:extend AI (phantom-deps): extend is a declared dependency in package.json; phantom-dep finding is a false positive for this package. ai
provenance no-provenance AI (provenance): Provenance attestation is a best-practice recommendation; absence is not a security blocker for an established package. ai
phantom-deps phantom-dep:babel-plugin-dynamic-import-node AI (phantom-deps): babel-plugin-dynamic-import-node is explicitly declared as a runtime dep at a pinned version; used as a config-level plugin rather than directly imported in source. ai
dependencies unvetted-dep:@umijs/core AI (dependencies): First-party UmiJS ecosystem dependency; father is maintained by the same umijs org and this is an expected runtime dep. ai
dependencies unvetted-dep:@umijs/babel-preset-umi AI (dependencies): First-party UmiJS ecosystem dependency; expected for this build tool maintained by the umijs org. ai
dependencies unvetted-dep:@umijs/bundler-webpack AI (dependencies): First-party UmiJS ecosystem dependency; expected for this build tool maintained by the umijs org. ai
dependencies unvetted-dep:@umijs/bundler-utils AI (dependencies): First-party UmiJS ecosystem dependency; expected for this build tool maintained by the umijs org. ai
dependencies unvetted-dep:@umijs/utils AI (dependencies): First-party UmiJS ecosystem dependency; expected for this build tool maintained by the umijs org. ai

Versions (showing 79 of 79)

Version Deps Published
4.6.31 23 / 20
4.6.30 23 / 20
4.6.29 23 / 20
4.6.28 23 / 20
4.6.27 23 / 20
4.6.26 23 / 20
4.6.25 23 / 20
4.6.18 23 / 20
4.6.8 23 / 20
4.5.3 23 / 20
4.5.2 23 / 20
4.5.1 23 / 20
4.4.1 21 / 20
4.4.0 21 / 20
4.3.8 20 / 20
4.3.7 20 / 20
4.3.6 20 / 20
2.30.16 34 / 0
2.30.8 34 / 0
2.13.6 51 / 0
2.10.0 51 / 0
0.13.1 10 / 6
0.13.0 10 / 6
0.12.0 10 / 6
0.11.0 10 / 6
0.10.6 9 / 6
0.10.5 9 / 6
0.10.4 9 / 6
0.10.3 8 / 6
0.10.2 8 / 6
0.10.1 8 / 6
0.10.0 8 / 6
0.9.7 7 / 5
0.9.6 7 / 5
0.9.5 7 / 5
0.9.4 7 / 5
0.9.3 7 / 5
0.9.2 6 / 5
0.9.1 6 / 5
0.9.0 6 / 5
0.8.7 6 / 5
0.8.6 6 / 5
0.8.5 6 / 5
0.8.4 6 / 5
0.8.3 6 / 4
0.8.2 6 / 4
0.8.1 6 / 4
0.8.0 6 / 4
0.7.3 6 / 4
0.7.2 6 / 4
0.7.1 6 / 4
0.7.0 5 / 4
0.6.14 5 / 4
0.6.13 5 / 4
0.6.12 5 / 4
0.6.11 5 / 4
0.6.10 5 / 4
0.6.9 5 / 4
0.6.8 5 / 4
0.6.7 5 / 4
0.6.6 5 / 4
0.6.4 5 / 4
0.6.3 5 / 4
0.6.2 5 / 4
0.6.1 5 / 4
0.6.0 5 / 4
0.5.6 5 / 4
0.5.5 5 / 4
0.5.4 5 / 4
0.5.3 5 / 4
0.5.2 5 / 4
0.5.1 5 / 4
0.5.0 5 / 4
0.4.0 4 / 4
0.3.1 4 / 4
0.3.0 4 / 4
0.2.1 3 / 4
0.2.0 3 / 4
0.1.0 2 / 4

v4.6.31

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.6.30

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.6.29

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.6.28

2 findings
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: zoomdong07 → GitHub Actions (on 2026-07-13, now via trusted publisher with provenance) provenance

This version was published by a different npm account (GitHub Actions) than the most recent previously approved version (zoomdong07) on 2026-07-13, but it carries Sigstore provenance attestation. This means the package moved to a trusted publisher (CI/CD with OIDC, e.g. GitHub Actions) — a supply-chain integrity improvement, not a compromise, since a stolen npm token cannot forge provenance bound to the source repository. Recorded as INFO for audit trail.

v4.6.27

2 findings
HIGH Publisher changed: zoomdong07 → GitHub Actions (on 2026-07-10) provenance

[Reject — re-review on republish] (prior reject: AI (provenance): Publisher changed to zoomdong07, an account with 4062 rejected packages and only 824 approved. This is a persistent red flag for this package.) This version was published by a different npm account than previous versions on 2026-07-10. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.6.26

2 findings
HIGH Publisher changed: zoomdong07 → GitHub Actions (on 2026-07-08) provenance

[Reject — re-review on republish] (prior reject: AI (provenance): Publisher changed to zoomdong07, an account with 4062 rejected packages and only 824 approved. This is a persistent red flag for this package.) This version was published by a different npm account than previous versions on 2026-07-08. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.6.25

2 findings
HIGH Publisher changed: zoomdong07 → GitHub Actions (on 2026-07-01) provenance

[Reject — re-review on republish] (prior reject: AI (provenance): Publisher changed to zoomdong07, an account with 4062 rejected packages and only 824 approved. This is a persistent red flag for this package.) This version was published by a different npm account than previous versions on 2026-07-01. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.6.8

3 findings
CRITICAL Unvetted dependency: @utoo/pack dependencies

[Always reject] Version constraint: 1.0.0.

CRITICAL Publisher changed: peachscript → zoomdong07 (on 2025-11-25) provenance

[Always reject] This version was published by a different npm account than previous versions on 2025-11-25. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.5.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.30.16

3 findings
HIGH Publisher changed: popomore → peachscript (on 2022-02-08) provenance

[Reject — re-review on republish] (prior reject: AI (provenance): Publisher changed to zoomdong07, an account with 4062 rejected packages and only 824 approved. This is a persistent red flag for this package.) This version was published by a different npm account than previous versions on 2022-02-08. This could indicate a legitimate maintainer transition or an account compromise.

HIGH child-process-import: lib/doc/docz.js:10 semgrep

child_process imported — can execute arbitrary system commands Source: ssh://[email protected]/umijs/father/blob/2cca6a2cbf3869ebe96e9f64ff89b2877e12a79a/lib/doc/docz.js#L10 8 | var assert = _interopRequireWildcard(require("assert")); 9 | > 10 | var _child_process = require("child_process"); 11 | 12 | var _path = require("path");

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.30.8

3 findings
HIGH Publisher changed: popomore → peachscript (on 2021-08-08) provenance

[Reject — re-review on republish] (prior reject: AI (provenance): Publisher changed to zoomdong07, an account with 4062 rejected packages and only 824 approved. This is a persistent red flag for this package.) This version was published by a different npm account than previous versions on 2021-08-08. This could indicate a legitimate maintainer transition or an account compromise.

HIGH child-process-import: lib/doc/docz.js:10 semgrep

child_process imported — can execute arbitrary system commands Source: ssh://[email protected]/umijs/father/blob/fd6e4d0564f9e494f76e6dc70770f02fea87b284/lib/doc/docz.js#L10 8 | var assert = _interopRequireWildcard(require("assert")); 9 | > 10 | var _child_process = require("child_process"); 11 | 12 | var _path = require("path");

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.13.6

3 findings
HIGH Publisher changed: popomore → zombiej (on 2019-07-15) provenance

[Reject — re-review on republish] (prior reject: AI (provenance): Publisher changed to zoomdong07, an account with 4062 rejected packages and only 824 approved. This is a persistent red flag for this package.) This version was published by a different npm account than previous versions on 2019-07-15. This could indicate a legitimate maintainer transition or an account compromise.

HIGH child-process-import: lib/doc/docz.js:10 semgrep

child_process imported — can execute arbitrary system commands Source: ssh://[email protected]/umijs/father/blob/3281abe5d635c48103218c2bf4ef6d0db5197fc4/lib/doc/docz.js#L10 8 | var assert = _interopRequireWildcard(require("assert")); 9 | > 10 | var _child_process = require("child_process"); 11 | 12 | var _path = require("path");

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.10.0

8 findings
HIGH New file with network + code execution: src/fixtures/doc/babel-extra-babel-presets-and-plugins/.doc/static/js/vendors.27f5d684.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware. Artifact: bundled (webpack) — bundler banner in the scanned head, but the file is larger than the scan window and its remainder is unclassified, so this is not a clean bill of health.

HIGH New file with network + code execution: src/fixtures/doc/config-theme/.doc/static/js/vendors.27f5d684.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware. Artifact: bundled (webpack) — bundler banner in the scanned head, but the file is larger than the scan window and its remainder is unclassified, so this is not a clean bill of health.

HIGH New file with network + code execution: src/fixtures/doc/css-modules/.doc/static/js/vendors.27f5d684.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware. Artifact: bundled (webpack) — bundler banner in the scanned head, but the file is larger than the scan window and its remainder is unclassified, so this is not a clean bill of health.

HIGH New file with network + code execution: src/fixtures/doc/normal/.doc/static/js/vendors.27f5d684.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware. Artifact: bundled (webpack) — bundler banner in the scanned head, but the file is larger than the scan window and its remainder is unclassified, so this is not a clean bill of health.

HIGH child-process-import: lib/doc/doc.e2e.js:5 semgrep

child_process imported — can execute arbitrary system commands Source: ssh://[email protected]/umijs/father/blob/20f8734087f1ce2bedad422bd93d007973c635f8/lib/doc/doc.e2e.js#L5 3 | var _path = require("path"); 4 | > 5 | var _child_process = require("child_process"); 6 | 7 | var _puppeteer = _interopRequireDefault(require("puppeteer"));

HIGH child-process-import: lib/doc/docz.js:10 semgrep

child_process imported — can execute arbitrary system commands Source: ssh://[email protected]/umijs/father/blob/20f8734087f1ce2bedad422bd93d007973c635f8/lib/doc/docz.js#L10 8 | var assert = _interopRequireWildcard(require("assert")); 9 | > 10 | var _child_process = require("child_process"); 11 | 12 | var _path = require("path");

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: popomore → sorrycc (on 2019-06-19, known maintainer) provenance

This version was published by a different npm account (sorrycc) than the most recent previously approved version (popomore) on 2019-06-19, but sorrycc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.