Gathering detailed insights and metrics for webpack
Gathering detailed insights and metrics for webpack
A bundler for javascript and friends. Packs many modules into a few bundled assets. Code Splitting allows for loading parts of the application on demand. Through "loaders", modules can be CommonJs, AMD, ES6 modules, CSS, Images, JSON, Coffeescript, LESS, ... and your custom stuff.
Installations
npm install webpackDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS
Min. Node Version
>=10.13.0
Node Version
22.13.1
NPM Version
10.9.2
Score
91
Supply Chain
77.5
Quality
90.2
Maintenance
100
Vulnerability
100
License
Releases
431
Languages
9
JavaScript
CSS
TypeScript
WebAssembly
CoffeeScript
Less
HTML
Pug
SCSS
JavaScript (97.72%)
CSS (1.96%)
TypeScript (0.17%)
WebAssembly (0.13%)
CoffeeScript (0.01%)
Less (0.01%)
Developer
Download Statistics
Total Downloads
6,651,084,921
Last Day
1,456,552
Last Week
29,477,257
Last Month
128,091,025
Last Year
1,390,926,201
GitHub Statistics
MIT License
65,420 Stars
17,835 Commits
9,078 Forks
1,446 Watchers
86 Branches
841 Contributors
Updated on Jul 02, 2025
Bundle Size
3.24 MB
Minified
807.27 kB
Minified + Gzipped
Sponsor this package
Maintainers
4
Package Meta Information
Latest Version
5.99.9
Package Id
webpack@5.99.9
Unpacked Size
5.08 MB
Size
0.99 MB
File Count
691
NPM Version
10.9.2
Node Version
22.13.1
Published on
May 20, 2025
Total Downloads
Cumulative downloads
Total Downloads
6,651,084,921
Last Day
-8.1%
1,456,552
Compared to previous day
Last Week
-8.3%
29,477,257
Compared to previous week
Last Month
2.1%
128,091,025
Compared to previous month
Last Year
5.9%
1,390,926,201
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
24
@types/eslint-scope@types/estree@types/json-schema@webassemblyjs/ast@webassemblyjs/wasm-edit@webassemblyjs/wasm-parseracornbrowserslistchrome-trace-eventenhanced-resolvees-module-lexereslint-scopeeventsglob-to-regexpgraceful-fsjson-parse-even-better-errorsloader-runnermime-typesneo-asyncschema-utilstapableterser-webpack-pluginwatchpackwebpack-sources
Dev Dependencies
80
@babel/core@babel/preset-react@codspeed/tinybench-plugin@eslint/js@stylistic/eslint-plugin@types/glob-to-regexp@types/jest@types/mime-types@types/node@types/xxhashjsassemblyscriptbabel-loaderbundle-loadercoffee-loadercoffeescriptcore-jscspellcss-loaderdate-fnses5-extes6-promise-polyfilleslinteslint-config-prettiereslint-plugin-jesteslint-plugin-jsdoceslint-plugin-neslint-plugin-prettiereslint-plugin-unicornfile-loaderfork-ts-checker-webpack-pluginglobalshash-wasmhuskyistanbuljestjest-circusjest-clijest-diffjest-environment-nodejest-junitjson-loaderjson5lessless-loaderlint-stagedlodashlodash-esmemfsmini-css-extract-pluginmini-svg-data-urinode-gypnycopen-cliprettierprettier-2pretty-formatpugpug-loaderraw-loaderreactreact-domrimrafscript-loadersimple-gitstrip-ansistyle-loaderterserthreetinybenchtomltoolingts-loadertypescripturl-loaderwast-loaderwebassembly-featurewebpack-clixxhashjsyamljsyarn-deduplicate
[![npm][npm]][npm-url]
[![node][node]][node-url]
[![builds1][builds1]][builds1-url]
[![dependency-review][dependency-review]][dependency-review-url]
[![coverage][cover]][cover-url]
[![PR's welcome][prs]][prs-url]
webpack
Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset.
Table of Contents
- Install
- Introduction
- Concepts
- Contributing
- Support
- Current project members
- Sponsoring
- Special Thanks
Install
Install with npm:
1npm install --save-dev webpack
Install with yarn:
1yarn add webpack --dev
Introduction
Webpack is a bundler for modules. The main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset.
TL;DR
- Bundles ES Modules, CommonJS, and AMD modules (even combined).
- Can create a single bundle or multiple chunks that are asynchronously loaded at runtime (to reduce initial loading time).
- Dependencies are resolved during compilation, reducing the runtime size.
- Loaders can preprocess files while compiling, e.g. TypeScript to JavaScript, Handlebars strings to compiled functions, images to Base64, etc.
- Highly modular plugin system to do whatever else your application requires.
Learn about webpack through videos!
Get Started
Check out webpack's quick Get Started guide and the other guides.
Browser Compatibility
Webpack supports all browsers that are ES5-compliant (IE8 and below are not supported).
Webpack also needs Promise for import() and require.ensure(). If you want to support older browsers, you will need to load a polyfill before using these expressions.
Concepts
Plugins
Webpack has a rich plugin interface. Most of the features within webpack itself use this plugin interface. This makes webpack very flexible.
| Name | Status | Install Size | Description |
|---|---|---|---|
| mini-css-extract-plugin |  | Extracts CSS into separate files. It creates a CSS file per JS file which contains CSS. | |
| compression-webpack-plugin |  | Prepares compressed versions of assets to serve them with Content-Encoding | |
| html-bundler-webpack-plugin |  | Renders a template (EJS, Handlebars, Pug) with referenced source asset files into HTML. | |
| html-webpack-plugin |  | Simplifies creation of HTML files (index.html) to serve your bundles | |
| pug-plugin |  | Renders Pug files to HTML, extracts JS and CSS from sources specified directly in Pug. |
Loaders
Webpack enables the use of loaders to preprocess files. This allows you to bundle any static resource way beyond JavaScript. You can easily write your own loaders using Node.js.
Loaders are activated by using loadername! prefixes in require() statements,
or are automatically applied via regex from your webpack configuration.
Files
| Name | Status | Install Size | Description |
|---|---|---|---|
| val-loader |  | Executes code as module and considers exports as JS code |
JSON
| Name | Status | Install Size | Description |
|---|---|---|---|
 |  | Loads and transpiles a CSON file |
Transpiling
| Name | Status | Install Size | Description |
|---|---|---|---|
 |  | Loads ES2015+ code and transpiles to ES5 using Babel | |
 |  | Loads TypeScript like JavaScript | |
|  | Loads CoffeeScript like JavaScript |
Templating
| Name | Status | Install Size | Description |
|---|---|---|---|
 |  | Exports HTML as string, requires references to static resources | |
 |  | Loads Pug templates and returns a function | |
|  | Compiles Pug to a function or HTML string, useful for use with Vue, React, Angular | |
 |  | Compiles Markdown to HTML | |
 |  | Loads and transforms a HTML file using PostHTML | |
 |  | Compiles Handlebars to HTML |
Styling
| Name | Status | Install Size | Description |
|---|---|---|---|
<style> |  | Add exports of a module as style to DOM | |
 |  | Loads CSS file with resolved imports and returns CSS code | |
 |  | Loads and compiles a LESS file | |
 |  | Loads and compiles a Sass/SCSS file | |
 |  | Loads and compiles a Stylus file | |
 |  | Loads and transforms a CSS/SSS file using PostCSS |
Frameworks
| Name | Status | Install Size | Description |
|---|---|---|---|
 |  | Loads and compiles Vue Components | |
 |  | Process HTML & CSS with preprocessor of choice and require() Web Components like first-class modules | |
 |  | Loads and compiles Angular 2 Components | |
 |  | Riot official webpack loader | |
 |  | Official Svelte loader |
Performance
Webpack uses async I/O and has multiple caching levels. This makes webpack fast and incredibly fast on incremental compilations.
Module Formats
Webpack supports ES2015+, CommonJS and AMD modules out of the box. It performs clever static analysis on the AST of your code. It even has an evaluation engine to evaluate simple expressions. This allows you to support most existing libraries out of the box.
Code Splitting
Webpack allows you to split your codebase into multiple chunks. Chunks are loaded asynchronously at runtime. This reduces the initial loading time.
Optimizations
Webpack can do many optimizations to reduce the output size of your JavaScript by deduplicating frequently used modules, minifying, and giving you full control of what is loaded initially and what is loaded at runtime through code splitting. It can also make your code chunks cache friendly by using hashes.
Contributing
We want contributing to webpack to be fun, enjoyable, and educational for anyone, and everyone. We have a vibrant ecosystem that spans beyond this single repo. We welcome you to check out any of the repositories in our organization or webpack-contrib organization which houses all of our loaders and plugins.
Contributions go far beyond pull requests and commits. Although we love giving you the opportunity to put your stamp on webpack, we also are thrilled to receive a variety of other contributions including:
- Documentation updates, enhancements, designs, or bugfixes
- Spelling or grammar fixes
- README.md corrections or redesigns
- Adding unit, or functional tests
- Triaging GitHub issues -- especially determining whether an issue still persists or is reproducible.
- Searching #webpack on twitter and helping someone else who needs help
- Teaching others how to contribute to one of the many webpack's repos!
- Blogging, speaking about, or creating tutorials about one of webpack's many features.
- Helping others in our webpack gitter channel.
- The Contributor's Guide to webpack
To get started have a look at our documentation on contributing.
Creating your own plugins and loaders
If you create a loader or plugin, we would <3 for you to open source it, and put it on npm. We follow the x-loader, x-webpack-plugin naming convention.
Support
We consider webpack to be a low-level tool used not only individually but also layered beneath other awesome tools. Because of its flexibility, webpack isn't always the easiest entry-level solution, however we do believe it is the most powerful. That said, we're always looking for ways to improve and simplify the tool without compromising functionality. If you have any ideas on ways to accomplish this, we're all ears!
If you're just getting started, take a look at our new docs and concepts page. This has a high level overview that is great for beginners!!
If you have discovered a 🐜 or have a feature suggestion, feel free to create an issue on GitHub.
Current project members
For information about the governance of the Node.js project, see GOVERNANCE.md.
TSC (Technical Steering Committee)
- alexander-akait - Alexander Akait <sheo13666q@gmail.com> (he/him)
- evenstensberg - Even Stensberg <evenstensberg@gmail.com> (he/him)
- ovflowd - Claudio Wunder <cwunder@gnome.org> (he/they)
- snitin315 - Nitin Kumar <snitin315@gmail.com> (he/him)
- thelarkinn - Sean Larkin <selarkin@microsoft.com> (he/him)
Core Collaborators
- jhnns - Johannes Ewald <mail@johannesewald.de>
- sokra - Tobias Koppers <jackworks@protonmail.co>
- spacek33z - Kees Kluskens <kees@webduck.nl>
- TheLarkInn - Sean T. Larkin <selarkin@microsoft.com>
Sponsoring
Most of the core team members, webpack contributors and contributors in the ecosystem do this open source work in their free time. If you use webpack for a serious task, and you'd like us to invest more time on it, please donate. This project increases your income/productivity too. It makes development and applications faster and it reduces the required bandwidth.
This is how we use the donations:
- Allow the core team to work on webpack
- Thank contributors if they invested a large amount of time in contributing
- Support projects in the ecosystem that are of great value for users
- Support projects that are voted most (work in progress)
- Infrastructure cost
- Fees for money handling
Premium Partners
Other Backers and Sponsors
Before we started using OpenCollective, donations were made anonymously. Now that we have made the switch, we would like to acknowledge these sponsors (and the ones who continue to donate using OpenCollective). If we've missed someone, please send us a PR, and we'll add you to this list.
Gold Sponsors
Become a gold sponsor and get your logo on our README on GitHub with a link to your site.
Silver Sponsors
Become a silver sponsor and get your logo on our README on GitHub with a link to your site.
Bronze Sponsors
Become a bronze sponsor and get your logo on our README on GitHub with a link to your site.
Backers
Become a backer and get your image on our README on GitHub with a link to your site.
Critical
9.8/10
Summary
Cross-realm object access in Webpack 5
Affected Versions
>= 5.0.0, < 5.76.0
Patched Versions
5.76.0
Moderate
6.4/10
Summary
Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS
Affected Versions
>= 5.0.0-alpha.0, < 5.94.0
Patched Versions
5.94.0
Reason
30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
GitHub workflow tokens follow principle of least privilege
Details
- Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:6
- Info: topLevel 'contents' permission set to 'read': .github/workflows/examples.yml:8
- Info: topLevel 'contents' permission set to 'read': .github/workflows/test.yml:13
- Info: no jobLevel write permissions found
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy
- Info: Found text in security policy: SECURITY.md:1
Reason
1 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
Reason
Found 17/28 approved changesets -- score normalized to 6
Reason
badge detected: InProgress
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency-review.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/dependency-review.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency-review.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/dependency-review.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/examples.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/examples.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/examples.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/examples.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/examples.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/examples.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:162: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:163: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:174: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:200: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:207: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:77: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:96: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:109: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:111: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:118: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:124: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack/test.yml/main?enable=pin
- Info: 0 out of 22 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 4 third-party GitHubAction dependencies pinned
Reason
binaries present in source code
Details
- Warn: binary detected: examples/nodejs-addons/file.node:1
- Warn: binary detected: examples/wasm-bindgen-esm/pkg/hi_wasm_bg.wasm:1
- Warn: binary detected: examples/wasm-simple/add.wasm:1
- Warn: binary detected: examples/wasm-simple/factorial.wasm:1
- Warn: binary detected: examples/wasm-simple/fibonacci.wasm:1
- Warn: binary detected: test/cases/wasm/decoding/memory2.wasm:1
- Warn: binary detected: test/cases/wasm/decoding/memory3.wasm:1
- Warn: binary detected: test/cases/wasm/imports-complex-types/other.wasm:1
- Warn: binary detected: test/cases/wasm/imports-complex-types/wasm.wasm:1
- Warn: binary detected: test/cases/wasm/imports-multiple/wasm.wasm:1
- Warn: binary detected: test/cases/wasm/v128/v128.wasm:1
- Warn: binary detected: test/cases/wasm/wasm-explorer-examples-async/Q_rsqrt.wasm:1
- Warn: binary detected: test/cases/wasm/wasm-explorer-examples-async/duff.wasm:1
- Warn: binary detected: test/cases/wasm/wasm-explorer-examples-async/fact.wasm:1
- Warn: binary detected: test/cases/wasm/wasm-explorer-examples-async/fast-math.wasm:1
- Warn: binary detected: test/cases/wasm/wasm-explorer-examples-async/popcnt.wasm:1
- Warn: binary detected: test/cases/wasm/wasm-explorer-examples-async/testFunction.wasm:1
- Warn: binary detected: test/cases/wasm/wasm-explorer-examples-sync/Q_rsqrt.wasm:1
- Warn: binary detected: test/cases/wasm/wasm-explorer-examples-sync/duff.wasm:1
- Warn: binary detected: test/cases/wasm/wasm-explorer-examples-sync/fact.wasm:1
- Warn: binary detected: test/cases/wasm/wasm-explorer-examples-sync/fast-math.wasm:1
- Warn: binary detected: test/cases/wasm/wasm-explorer-examples-sync/popcnt.wasm:1
- Warn: binary detected: test/cases/wasm/wasm-explorer-examples-sync/testFunction.wasm:1
- Warn: binary detected: test/configCases/wasm/externref/pkg/wasm_lib_bg.wasm:1
- Warn: binary detected: test/configCases/wasm/missing-wasm-experiment/wasm.wasm:1
- Warn: binary detected: test/configCases/wasm/reference-types/pkg/wasm_lib_bg.wasm:1
- Warn: binary detected: test/statsCases/wasm-explorer-examples-sync/Q_rsqrt.wasm:1
- Warn: binary detected: test/statsCases/wasm-explorer-examples-sync/duff.wasm:1
- Warn: binary detected: test/statsCases/wasm-explorer-examples-sync/fact.wasm:1
- Warn: binary detected: test/statsCases/wasm-explorer-examples-sync/fast-math.wasm:1
- Warn: binary detected: test/statsCases/wasm-explorer-examples-sync/popcnt.wasm:1
- Warn: binary detected: test/statsCases/wasm-explorer-examples-sync/testFunction.wasm:1
- Warn: binary detected: test/watchCases/wasm/caching/0/wasm.wasm:1
- Warn: binary detected: test/watchCases/wasm/caching/1/wasm.wasm:1
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 30 are checked with a SAST tool
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
6
/10
Last Scanned on 2025-06-23
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More