rolldown
Fast JavaScript/TypeScript bundler in Rust with Rollup-compatible API.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:dynamic-require | AI (semgrep): The dynamic require is loading a fixed 'package.json' file via path join — not user-controlled input. This is a stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Established package with 21.6M weekly downloads and 620 versions; lack of provenance attestation is not a meaningful risk signal here. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-hoPhcrA-.mjs | AI (source-diff): ESM variant of bundled consola prompt chunk; readable, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared/consola.36c0034f-HcmWcfPe.cjs | AI (source-diff): Bundled [email protected] library output with readable code and region comments; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-9Ij3R3TG.cjs | AI (source-diff): Bundled consola prompt chunk; readable code with long lines from bundling, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared/consola.36c0034f-Xyw7SC_7.mjs | AI (source-diff): ESM variant of bundled consola library; readable, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-RFvZMmjc.cjs | AI (source-diff): Bundled consola prompt chunk; readable code, long lines from bundling not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared/consola_36c0034f-DWsVjwtA.mjs | AI (source-diff): ESM variant of bundled consola library; readable structured code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-DGW8ZJmn.mjs | AI (source-diff): ESM variant of bundled consola prompt chunk; readable code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared/consola_36c0034f-_8_dG1Nr.cjs | AI (source-diff): Bundled consola library output; readable code with region comments, not obfuscation. Expected for a bundler tool. | ai | |
| source-diff | obfuscated-file:dist/shared/consola_36c0034f-RVbq7gBJ.cjs | AI (source-diff): Bundled output of [email protected] library; readable code with source path comments, not obfuscation. Standard for a bundler's dist output. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-Q6AgPcFh.cjs | AI (source-diff): Bundled output of consola prompt module; readable code with source path comments, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared/consola_36c0034f-ED9jtJgC.mjs | AI (source-diff): ESM variant of bundled [email protected]; readable code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-uoOfg_gh.mjs | AI (source-diff): ESM variant of bundled consola prompt module; readable code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-BiXtYIJ2.cjs | AI (source-diff): Bundled consola prompt chunk; readable code with region comments, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared/consola_36c0034f-D9ce-831.mjs | AI (source-diff): ESM variant of bundled [email protected]; readable code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-DlQ-08lk.mjs | AI (source-diff): ESM variant of bundled consola prompt chunk; readable code, not obfuscation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Rolldown bundles dependencies into dist/; file count growth is normal for this build tool package. | ai | |
| source-diff | obfuscated-file:dist/shared/consola_36c0034f-B7L-radJ.cjs | AI (source-diff): Bundled [email protected] library output; readable code with region comments, not obfuscation. Standard for a bundler tool. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-Ah5G71p-.cjs | AI (source-diff): Bundled consola prompt chunk; readable JS with long lines from bundling, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/shared/consola.36c0034f-m5cABVv4.mjs | AI (source-diff): ESM variant of bundled consola library; same readable code as CJS counterpart. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-9VjtYvi_.mjs | AI (source-diff): ESM variant of bundled consola prompt chunk; readable JS, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared/consola.36c0034f-eps_ogJv.cjs | AI (source-diff): Bundled consola library output; readable JS, not obfuscated. Standard for build tools shipping dist bundles. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-LYk41n1z.mjs | AI (source-diff): ESM variant of bundled consola prompt chunk. Readable code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-vP5sHLso.cjs | AI (source-diff): Bundled consola prompt chunk, not obfuscated. Readable terminal escape sequence code from [email protected]. | ai | |
| source-diff | obfuscated-file:dist/shared/consola.36c0034f-p4CNcyTx.cjs | AI (source-diff): Bundled consola library output, not obfuscated. Readable code with long lines from bundling. Standard for a bundler tool shipping pre-bundled CLI deps. | ai | |
| source-diff | obfuscated-file:dist/shared/consola.36c0034f-QyAKDJpW.mjs | AI (source-diff): ESM variant of bundled consola library. Same readable code, just ESM imports. Standard bundler output. | ai | |
| source-diff | obfuscated-file:dist/shared/consola.36c0034f-N8xiTrv3.cjs | AI (source-diff): Bundled output of [email protected] logging library; readable code with long lines typical of bundler dist output. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-1K6oCkIU.cjs | AI (source-diff): Bundled output of consola prompt module; readable code, no obfuscation, standard Node.js imports only. | ai | |
| source-diff | obfuscated-file:dist/shared/consola.36c0034f-jtHhMkSX.mjs | AI (source-diff): ESM variant of bundled [email protected]; same readable code as CJS counterpart. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-pjyLzLci.mjs | AI (source-diff): ESM variant of bundled consola prompt module; readable code, no suspicious patterns. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-qKiYiowG.mjs | AI (source-diff): ESM variant of bundled consola prompt chunk; readable code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared/consola_36c0034f-5LhwiLE2.mjs | AI (source-diff): ESM variant of bundled consola dependency; readable code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared/prompt-v8IJTptZ.cjs | AI (source-diff): Bundled consola prompt chunk into dist output; readable code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/shared/consola_36c0034f-WXb1k8ME.cjs | AI (source-diff): Bundled consola dependency into dist output; readable code, not obfuscated. Rolldown is a bundler that inlines deps. | ai |
Versions (showing 20 of 20)
| Version | Deps | Published |
|---|---|---|
| 0.15.1 | 1 / 24 | |
| 0.15.0 | 1 / 24 | |
| 0.14.0 | 1 / 23 | |
| 0.13.2 | 1 / 22 | |
| 0.13.1 | 1 / 22 | |
| 0.13.0 | 1 / 22 | |
| 0.12.2 | 1 / 20 | |
| 0.12.1 | 1 / 20 | |
| 0.12.0 | 1 / 20 | |
| 0.11.1 | 1 / 20 | |
| 0.11.0 | 1 / 20 | |
| 0.10.5 | 6 / 15 | |
| 0.10.4 | 17 / 16 | |
| 0.10.3 | 12 / 21 | |
| 0.10.2 | 11 / 14 | |
| 0.10.1 | 10 / 11 | |
| 0.10.0 | 10 / 9 | |
| 0.9.2 | 10 / 9 | |
| 0.9.1 | 10 / 9 | |
| 0.3.0 | 10 / 0 |
v0.15.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.15.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.