← Home

webpack-dev-server

npm Repository Homepage

Serves a webpack app. Updates the browser on changes.

5
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

15000621931ev1stensberg__haisokraavivkellerevilebottnawijhnnshiroppy

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Transition to GitHub Actions CI/CD publishing with SLSA provenance; legitimate for this package. ai
dependencies unvetted-dep:launch-editor AI (dependencies): launch-editor is a well-known utility used by webpack-dev-server for its editor-open-on-error feature; stable legitimate dependency for this package. ai
semgrep semgrep:child-process-import AI (semgrep): Child process import in CLI bin file is legitimate for a dev server tool that spawns processes. ai
semgrep semgrep:child-process-spawn AI (semgrep): Child process spawn in CLI is expected behavior for webpack-dev-server's command execution. ai
phantom-deps phantom-dep:@types/serve-index AI (phantom-deps): @types/* packages are TypeScript type definitions legitimately shipped as runtime deps for TS consumers; not directly require()d by design. ai
phantom-deps phantom-dep:@types/serve-static AI (phantom-deps): @types/* packages are TypeScript type definitions legitimately shipped as runtime deps for TS consumers; not directly require()d by design. ai
phantom-deps phantom-dep:@types/express-serve-static-core AI (phantom-deps): @types/* packages are TypeScript type definitions legitimately shipped as runtime deps for TS consumers; not directly require()d by design. ai
phantom-deps phantom-dep:@types/ws AI (phantom-deps): @types/* packages are TypeScript type definitions legitimately shipped as runtime deps for TS consumers; not directly require()d by design. ai
phantom-deps phantom-dep:spdy AI (phantom-deps): spdy is a legitimate HTTP/2 library used by webpack-dev-server for HTTPS/HTTP2 support; referenced in config/conditional code paths rather than a top-level import. ai
semgrep semgrep:new-function-constructor AI (semgrep): new Function() is used to deserialize a user-configured overlay filter function string — a documented webpack-dev-server feature, not an external attack surface. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require uses require.resolve() to load a known package's package.json — standard Node.js pattern, not arbitrary code execution. Stable for this package. ai
phantom-deps phantom-dep:@types/connect-history-api-fallback AI (phantom-deps): @types/* packages are TypeScript type definitions legitimately shipped as runtime deps for TS consumers; not directly require()d by design. ai
phantom-deps phantom-dep:@types/sockjs AI (phantom-deps): @types/* packages are TypeScript type definitions legitimately shipped as runtime deps for TS consumers; not directly require()d by design. ai
phantom-deps phantom-dep:@types/bonjour AI (phantom-deps): @types/* packages are TypeScript type definitions legitimately shipped as runtime deps for TS consumers; not directly require()d by design. ai
phantom-deps phantom-dep:@types/express AI (phantom-deps): @types/* packages are TypeScript type definitions legitimately shipped as runtime deps for TS consumers; not directly require()d by design. ai

Versions (showing 5 of 5)

Version Deps Published
5.2.5 28 / 63
5.2.4 28 / 61
5.2.3 28 / 61
5.2.2 28 / 57
5.2.1 28 / 57

v5.2.5

2 findings
HIGH Publisher changed: evilebottnawi → GitHub Actions (on 2026-06-12) provenance

This version was published by a different npm account than previous versions on 2026-06-12. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.2.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.2.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.2.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v5.2.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.