Gathering detailed insights and metrics for @rollup/plugin-html
Gathering detailed insights and metrics for @rollup/plugin-html
🍣 The one-stop shop for official Rollup plugins
Installations
npm install @rollup/plugin-htmlDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS, ESM
Min. Node Version
>=14.0.0
Node Version
20.18.1
NPM Version
10.8.2
Releases
Unable to fetch releases
Languages
3
JavaScript
TypeScript
Shell
JavaScript (75.16%)
TypeScript (24.83%)
Shell (0.01%)
Developer
rollup
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
MIT License
3,713 Stars
1,228 Commits
604 Forks
35 Watchers
6 Branches
270 Contributors
Updated on Jul 10, 2025
Maintainers
4
Package Meta Information
Latest Version
1.1.0
Package Id
@rollup/plugin-html@1.1.0
Unpacked Size
19.17 kB
Size
5.19 kB
File Count
8
NPM Version
10.8.2
Node Version
20.18.1
Published on
Dec 15, 2024
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Peer Dependencies
1
@rollup/plugin-html
🍣 A Rollup plugin which creates HTML files to serve Rollup bundles.
Please see Supported Output Formats for information about using this plugin with output formats other than esm (es), iife, and umd.
Requirements
This plugin requires an LTS Node version (v14.0.0+) and Rollup v1.20.0+.
Install
Using npm:
1npm install @rollup/plugin-html --save-dev
Usage
Create a rollup.config.js configuration file and import the plugin:
1const html = require('@rollup/plugin-html'); 2 3module.exports = { 4 input: 'src/index.js', 5 output: { 6 dir: 'output', 7 format: 'cjs' 8 }, 9 plugins: [html()] 10};
Then call rollup either via the CLI or the API.
Once run successfully, an HTML file should be written to the bundle output destination.
Options
addScriptsToHead
Type: Boolean
Default: false
Place scripts in the <head> tag instead of <body>.
attributes
Type: Object
Default: { html: { lang: 'en' }, link: null, script: null }
Specifies additional attributes for html, link, and script elements. For each property, provide an object with key-value pairs that represent an HTML element attribute name and value. By default, the html element is rendered with an attribute of lang="en".
Note: If using the es / esm output format, { type: 'module'} is automatically added to attributes.script.
fileName
Type: String
Default: 'index.html'
meta
Type: Array[...object]
Default: [{ charset: 'utf-8' }]
Specifies attributes used to create <meta> elements. For each array item, provide an object with key-value pairs that represent <meta> element attribute names and values.
Specifies the name of the HTML to emit.
publicPath
Type: String
Default: ''
Specifies a path to prepend to all bundle assets (files) in the HTML output.
template
Type: Function
Default: internal function
Returns: String
Specifies a function that provides the rendered source for the HTML output. The function should be in the form of:
1const template = ({ attributes, bundle, files, publicPath, title }) => { ... }attributes: Corresponds to theattributesoption passed to the pluginbundle: AnObjectcontaining key-value pairs ofAssetInfoorChunkInfofiles: AnArrayofAssetInfoorChunkInfocontaining any entry (isEntry: true) files, and any asset (isAsset: true) files in the bundle that will be emittedpublicPath: Corresponds to thepublicPathoption passed to the plugintitle: Corresponds to thetitleoption passed to the plugin
By default this is handled internally and produces HTML in the following format:
1<!DOCTYPE html> 2<html ${attributes}> 3 <head> 4 ${metas} 5 <title>${title}</title> 6 ${links} 7 </head> 8 <body> 9 ${scripts} 10 </body> 11</html>
Where ${links} represents all <link .. tags for CSS and ${scripts} represents all <script... tags for JavaScript files.
title
Type: String
Default: 'Rollup Bundle'
Specifies the HTML document title.
Exports
makeHtmlAttributes(attributes)
Parameters: attributes, Type: Object
Returns: String
Consumes an object with key-value pairs that represent an HTML element attribute name and value. The function returns all pairs as a space-separated string of valid HTML element attributes. e.g.
1const { makeHtmlAttributes } = require('@rollup/plugin-html'); 2 3makeHtmlAttributes({ lang: 'en', 'data-batcave': 'secret' }); 4// -> 'lang="en" data-batcave="secret"'
Supported Output Formats
By default, this plugin supports the esm (es), iife, and umd output formats, as those are most commonly used as browser bundles. Other formats can be used, but will require using the template option to specify a custom template function which renders the unique requirements of other formats.
amd
Will likely require use of RequireJS semantics, which allows only for a single entry <script> tag. If more entry chunks are emitted, these need to be loaded via a proxy file. RequireJS would also need to be a dependency and added to the build: https://requirejs.org/docs/start.html.
system
Would require a separate <script> tag first that adds the s.js minimal loader. Loading modules might then resemble: <script>System.import('./batman.js')</script>.
Attribution
This plugin was inspired by and is based upon mini-html-webpack-plugin by Juho Vepsäläinen and Artem Sapegin, with permission.
Meta
No vulnerabilities found.
Reason
12 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
binaries present in source code
Details
- Warn: binary detected: packages/wasm/test/fixtures/complex.wasm:1
- Warn: binary detected: packages/wasm/test/fixtures/imports.wasm:1
- Warn: binary detected: packages/wasm/test/fixtures/sample.wasm:1
Reason
Found 14/30 approved changesets -- score normalized to 4
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/node-windows.yml:1
- Warn: no topLevel permission defined: .github/workflows/pr-title.yml:1
- Warn: no topLevel permission defined: .github/workflows/release.yml:1
- Warn: no topLevel permission defined: .github/workflows/validate.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-windows.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/rollup/plugins/node-windows.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-windows.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/rollup/plugins/node-windows.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/node-windows.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/rollup/plugins/node-windows.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-title.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/rollup/plugins/pr-title.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/rollup/plugins/release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/rollup/plugins/release.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/rollup/plugins/release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/rollup/plugins/release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validate.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/rollup/plugins/validate.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validate.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/rollup/plugins/validate.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/validate.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/rollup/plugins/validate.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validate.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/rollup/plugins/validate.yml/master?enable=pin
- Info: 0 out of 8 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 4 third-party GitHubAction dependencies pinned
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 14 are checked with a SAST tool
Reason
20 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-4gmj-3p3h-gm8h
- Warn: Project is vulnerable to: GHSA-9pv7-vfvm-6vr7
- Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-3rfm-jhwj-7488
- Warn: Project is vulnerable to: GHSA-hhq3-ff78-jv3g
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
- Warn: Project is vulnerable to: GHSA-vm32-9rqf-rh3r
- Warn: Project is vulnerable to: GHSA-8cc4-rfj6-fhg4
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-76p7-773f-r4q5
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
Score
3.9
/10
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More