@ai-sdk/provider — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

vercel-release-botmatheussmatt.straka

Keywords

ai

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/index.d.mts	AI (source-diff): Bundled TypeScript declaration file with long type-union lines; not obfuscated.	ai	2026/04/29
npm-metadata	no-description	AI (npm-metadata): Sub-package in vercel/ai monorepo; missing description is a metadata gap, not a security signal.	ai	2026/04/21
provenance	publisher-changed	AI (provenance): Legitimate transition from jaredpalmer (Vercel employee) to vercel-release-bot (Vercel's CI/CD bot with 592 approved packages). Standard org practice.	ai	2026/04/21
maintainer-change	maintainer-added	AI (maintainer-change): vercel-release-bot added as maintainer for automated publishing; well-established Vercel bot account.	ai	2026/04/21
npm-metadata	suspicious-initial-version	AI (npm-metadata): @ai-sdk/provider uses 0.0.0 as a monorepo placeholder version; with 16M weekly downloads and 140 registry versions, this is a well-established legitimate package.	ai	2026/04/21
bogus-package	bogus-package	AI (bogus-package): Sparse README and description are typical of monorepo sub-packages in the Vercel AI SDK; not indicative of spam or malicious intent.	ai	2026/04/21

Versions (showing 100 of 144)

Hide prereleases

Version	Deps	Published
3.0.10	1 / 5	2026-04-30
3.0.9	1 / 5	2026-04-29
3.0.8	1 / 5	2026-02-06
3.0.7	1 / 5	2026-02-01
3.0.6	1 / 5	2026-01-29
3.0.5	1 / 5	2026-01-22
3.0.4	1 / 5	2026-01-16
3.0.3	1 / 5	2026-01-14
3.0.2	1 / 5	2026-01-06
3.0.1	1 / 5	2025-12-30
3.0.0	1 / 5	2025-12-22
2.0.3	1 / 5	2026-04-30
2.0.2	1 / 5	2026-04-29
2.0.1	1 / 5	2025-12-30
2.0.0	1 / 5	2025-07-31
1.1.3	1 / 5	2025-04-14
1.1.2	1 / 5	2025-04-08
1.1.1	1 / 5	2025-04-08
1.1.0	1 / 5	2025-03-21
1.0.12	1 / 5	2025-03-19
1.0.11	1 / 5	2025-03-13
1.0.10	1 / 5	2025-03-05
1.0.9	1 / 5	2025-02-24
1.0.8	1 / 5	2025-02-19
1.0.7	1 / 5	2025-01-31
1.0.6	1 / 5	2025-01-23
1.0.5	1 / 5	2025-01-22
1.0.4	1 / 5	2025-01-07
1.0.3	1 / 5	2024-12-21
1.0.2	1 / 5	2024-12-10
1.0.1	1 / 5	2024-11-21
1.0.0	1 / 5	2024-11-18
0.0.26	1 / 5	2024-10-25
0.0.24	1 / 5	2024-09-27
0.0.23	1 / 5	2024-09-05
0.0.22	1 / 5	2024-08-26
0.0.21	1 / 5	2024-08-20
0.0.20	1 / 5	2024-08-16
0.0.19	1 / 5	2024-08-14
0.0.18	1 / 5	2024-08-12
0.0.17	1 / 5	2024-08-08
0.0.16	1 / 5	2024-08-07
0.0.15	1 / 5	2024-08-06
0.0.14	1 / 5	2024-07-25
0.0.13	1 / 5	2024-07-23
0.0.12	1 / 5	2024-07-09
0.0.11	1 / 5	2024-06-27
0.0.10	1 / 5	2024-06-06
0.0.9	1 / 5	2024-06-05
0.0.8	1 / 5	2024-05-28
0.0.7	1 / 5	2024-05-27
0.0.6	1 / 5	2024-05-23
0.0.5	1 / 5	2024-05-14
0.0.4	1 / 5	2024-05-13
0.0.3	1 / 5	2024-04-28
0.0.2	1 / 5	2024-04-23
0.0.1	1 / 5	2024-04-23
0.0.0	1 / 5	2024-04-10
4.0.0-beta.9	1 / 5	2026-04-08
4.0.0-beta.8	1 / 5	2026-04-07
4.0.0-beta.7	1 / 5	2026-04-03
4.0.0-beta.6	1 / 5	2026-04-02
4.0.0-beta.5	1 / 5	2026-03-24
4.0.0-beta.4	1 / 5	2026-03-19
4.0.0-beta.3	1 / 5	2026-03-18
4.0.0-beta.2	1 / 5	2026-03-16
4.0.0-beta.12	1 / 5	2026-04-13
4.0.0-beta.11	1 / 5	2026-04-13
4.0.0-beta.10	1 / 5	2026-04-08
4.0.0-beta.1	1 / 5	2026-03-16
4.0.0-beta.0	1 / 5	2026-03-05
3.0.0-beta.9	1 / 5	2025-10-27
3.0.0-beta.8	1 / 5	2025-10-17
3.0.0-beta.7	1 / 5	2025-10-16
3.0.0-beta.6	1 / 5	2025-10-07
3.0.0-beta.32	1 / 5	2025-12-22
3.0.0-beta.31	1 / 5	2025-12-21
3.0.0-beta.30	1 / 5	2025-12-20
3.0.0-beta.29	1 / 5	2025-12-20
3.0.0-beta.28	1 / 5	2025-12-19
3.0.0-beta.27	1 / 5	2025-12-17
3.0.0-beta.26	1 / 5	2025-12-09
3.0.0-beta.25	1 / 5	2025-12-07
3.0.0-beta.24	1 / 5	2025-12-05
3.0.0-beta.23	1 / 5	2025-12-03
3.0.0-beta.22	1 / 5	2025-11-28
3.0.0-beta.21	1 / 5	2025-11-28
3.0.0-beta.20	1 / 5	2025-11-26
3.0.0-beta.19	1 / 5	2025-11-25
3.0.0-beta.18	1 / 5	2025-11-25
3.0.0-beta.17	1 / 5	2025-11-23
3.0.0-beta.16	1 / 5	2025-11-11
3.0.0-beta.15	1 / 5	2025-11-03
3.0.0-beta.14	1 / 5	2025-10-31
3.0.0-beta.13	1 / 5	2025-10-28
3.0.0-beta.12	1 / 5	2025-10-27
3.0.0-beta.11	1 / 5	2025-10-27
3.0.0-beta.10	1 / 5	2025-10-27
2.1.0-beta.5	1 / 5	2025-10-06
2.1.0-beta.4	1 / 5	2025-09-30

Showing 100 of 144 Next page →

v3.0.10

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.9

3 findings

HIGH New obfuscated file: dist/index.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: vercel-release-bot → GitHub Actions (on 2026-04-29) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-29. This could indicate a legitimate maintainer transition or an account compromise.

v2.0.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.