Gathering detailed insights and metrics for webpack
Gathering detailed insights and metrics for webpack
Gathering detailed insights and metrics for webpack
Gathering detailed insights and metrics for webpack
A bundler for javascript and friends. Packs many modules into a few bundled assets. Code Splitting allows for loading parts of the application on demand. Through "loaders", modules can be CommonJs, AMD, ES6 modules, CSS, Images, JSON, Coffeescript, LESS, ... and your custom stuff.
npm install webpack
Typescript
Module System
Min. Node Version
Node Version
NPM Version
91
Supply Chain
77.5
Quality
90.2
Maintenance
100
Vulnerability
100
License
JavaScript (97.72%)
CSS (1.96%)
TypeScript (0.17%)
WebAssembly (0.13%)
CoffeeScript (0.01%)
Less (0.01%)
Total Downloads
6,651,084,921
Last Day
1,456,552
Last Week
29,477,257
Last Month
128,091,025
Last Year
1,390,926,201
MIT License
65,420 Stars
17,835 Commits
9,078 Forks
1,446 Watchers
86 Branches
841 Contributors
Updated on Jul 02, 2025
Minified
Minified + Gzipped
Latest Version
5.99.9
Package Id
webpack@5.99.9
Unpacked Size
5.08 MB
Size
0.99 MB
File Count
691
NPM Version
10.9.2
Node Version
22.13.1
Published on
May 20, 2025
Cumulative downloads
Total Downloads
Last Day
-8.1%
1,456,552
Compared to previous day
Last Week
-8.3%
29,477,257
Compared to previous week
Last Month
2.1%
128,091,025
Compared to previous month
Last Year
5.9%
1,390,926,201
Compared to previous year
24
80
[![npm][npm]][npm-url]
[![node][node]][node-url]
[![builds1][builds1]][builds1-url]
[![dependency-review][dependency-review]][dependency-review-url]
[![coverage][cover]][cover-url]
[![PR's welcome][prs]][prs-url]
Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset.
Install with npm:
1npm install --save-dev webpack
Install with yarn:
1yarn add webpack --dev
Webpack is a bundler for modules. The main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset.
TL;DR
Check out webpack's quick Get Started guide and the other guides.
Webpack supports all browsers that are ES5-compliant (IE8 and below are not supported).
Webpack also needs Promise
for import()
and require.ensure()
. If you want to support older browsers, you will need to load a polyfill before using these expressions.
Webpack has a rich plugin interface. Most of the features within webpack itself use this plugin interface. This makes webpack very flexible.
Name | Status | Install Size | Description |
---|---|---|---|
mini-css-extract-plugin | Extracts CSS into separate files. It creates a CSS file per JS file which contains CSS. | ||
compression-webpack-plugin | Prepares compressed versions of assets to serve them with Content-Encoding | ||
html-bundler-webpack-plugin | Renders a template (EJS, Handlebars, Pug) with referenced source asset files into HTML. | ||
html-webpack-plugin | Simplifies creation of HTML files (index.html ) to serve your bundles | ||
pug-plugin | Renders Pug files to HTML, extracts JS and CSS from sources specified directly in Pug. |
Webpack enables the use of loaders to preprocess files. This allows you to bundle any static resource way beyond JavaScript. You can easily write your own loaders using Node.js.
Loaders are activated by using loadername!
prefixes in require()
statements,
or are automatically applied via regex from your webpack configuration.
Name | Status | Install Size | Description |
---|---|---|---|
val-loader | Executes code as module and considers exports as JS code |
Name | Status | Install Size | Description |
---|---|---|---|
Loads and transpiles a CSON file |
Name | Status | Install Size | Description |
---|---|---|---|
Loads ES2015+ code and transpiles to ES5 using Babel | |||
Loads TypeScript like JavaScript | |||
Loads CoffeeScript like JavaScript |
Name | Status | Install Size | Description |
---|---|---|---|
Exports HTML as string, requires references to static resources | |||
Loads Pug templates and returns a function | |||
Compiles Pug to a function or HTML string, useful for use with Vue, React, Angular | |||
Compiles Markdown to HTML | |||
Loads and transforms a HTML file using PostHTML | |||
Compiles Handlebars to HTML |
Name | Status | Install Size | Description |
---|---|---|---|
<style> | Add exports of a module as style to DOM | ||
Loads CSS file with resolved imports and returns CSS code | |||
Loads and compiles a LESS file | |||
Loads and compiles a Sass/SCSS file | |||
Loads and compiles a Stylus file | |||
Loads and transforms a CSS/SSS file using PostCSS |
Webpack uses async I/O and has multiple caching levels. This makes webpack fast and incredibly fast on incremental compilations.
Webpack supports ES2015+, CommonJS and AMD modules out of the box. It performs clever static analysis on the AST of your code. It even has an evaluation engine to evaluate simple expressions. This allows you to support most existing libraries out of the box.
Webpack allows you to split your codebase into multiple chunks. Chunks are loaded asynchronously at runtime. This reduces the initial loading time.
Webpack can do many optimizations to reduce the output size of your JavaScript by deduplicating frequently used modules, minifying, and giving you full control of what is loaded initially and what is loaded at runtime through code splitting. It can also make your code chunks cache friendly by using hashes.
We want contributing to webpack to be fun, enjoyable, and educational for anyone, and everyone. We have a vibrant ecosystem that spans beyond this single repo. We welcome you to check out any of the repositories in our organization or webpack-contrib organization which houses all of our loaders and plugins.
Contributions go far beyond pull requests and commits. Although we love giving you the opportunity to put your stamp on webpack, we also are thrilled to receive a variety of other contributions including:
To get started have a look at our documentation on contributing.
If you create a loader or plugin, we would <3 for you to open source it, and put it on npm. We follow the x-loader
, x-webpack-plugin
naming convention.
We consider webpack to be a low-level tool used not only individually but also layered beneath other awesome tools. Because of its flexibility, webpack isn't always the easiest entry-level solution, however we do believe it is the most powerful. That said, we're always looking for ways to improve and simplify the tool without compromising functionality. If you have any ideas on ways to accomplish this, we're all ears!
If you're just getting started, take a look at our new docs and concepts page. This has a high level overview that is great for beginners!!
If you have discovered a 🐜 or have a feature suggestion, feel free to create an issue on GitHub.
For information about the governance of the Node.js project, see GOVERNANCE.md.
Most of the core team members, webpack contributors and contributors in the ecosystem do this open source work in their free time. If you use webpack for a serious task, and you'd like us to invest more time on it, please donate. This project increases your income/productivity too. It makes development and applications faster and it reduces the required bandwidth.
This is how we use the donations:
Before we started using OpenCollective, donations were made anonymously. Now that we have made the switch, we would like to acknowledge these sponsors (and the ones who continue to donate using OpenCollective). If we've missed someone, please send us a PR, and we'll add you to this list.
Become a gold sponsor and get your logo on our README on GitHub with a link to your site.
Become a silver sponsor and get your logo on our README on GitHub with a link to your site.
Become a bronze sponsor and get your logo on our README on GitHub with a link to your site.
Become a backer and get your image on our README on GitHub with a link to your site.
9.8/10
Summary
Cross-realm object access in Webpack 5
Affected Versions
>= 5.0.0, < 5.76.0
Patched Versions
5.76.0
6.4/10
Summary
Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS
Affected Versions
>= 5.0.0-alpha.0, < 5.94.0
Patched Versions
5.94.0
Reason
30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
GitHub workflow tokens follow principle of least privilege
Details
Reason
license file detected
Details
Reason
security policy file detected
Details
Reason
1 existing vulnerabilities detected
Details
Reason
Found 17/28 approved changesets -- score normalized to 6
Reason
badge detected: InProgress
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
Reason
binaries present in source code
Details
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
Reason
project is not fuzzed
Details
Score
Last Scanned on 2025-06-23
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More