# webpack@4.47.0 — Threat Briefing

Low risk — threat briefing for npm package webpack@4.47.0. Capabilities, risk paths, and what to check.

- **Ecosystem:** npm
- **Latest version:** 5.105.2
- **License:** MIT

## Risk

- **Level:** low
- **Summary:** Dynamic code evaluation with network access — potential code injection or exfiltration

## Capability Summary

| Capability | Level |
|---|---|
| install scripts | none |
| network access | client |
| filesystem | both |
| shell execution | exec |

## Capabilities

### Execution

- CLI command installation [common]
- Dynamic code execution (eval) [unusual]
- Shell execution [expected]

### Other

- No dependency lockfile (unpinned installs) [common]
- Cryptographic hashing [common]
- Node.js inspector/debugger backdoor [common]
- Long encoded payload [common]
- Global eval() call [common]
- Filesystem read from package directory (info-only) [common]
- new Function() constructor [common]
- Method named .eval / .evaluate (info-only) [common]
- Network stdlib call (info-only) [common]
- External vendor / cloud integration [common]
- VM code execution [common]
- Node vm-module / v8 bytecode execution [common]
- WebAssembly execution [common]

### Environment

- Environment variable access [common]

### Filesystem

- Filesystem read [expected]
- Filesystem write [expected]

### Network

- Network client [common]

## Key Signals

- ****
- ****

## Trust Signals

### Code Safety

- No access to sensitive paths
- No network activity during install

## Maintainer