@next/env — Greenflagged

Next.js dotenv file loading

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

vercel-release-botrauchgtimneutkenstimermatt.straka

Keywords

reactnextnext.jsdotenv

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from vercel-release-bot to GitHub Actions CI; SLSA attestation confirms legitimate pipeline change.	ai	2026/05/30
npm-metadata	suspicious-initial-version	AI (npm-metadata): @next/env uses 0.0.0 as a legitimate namespace-reservation stub; this is a documented pattern for Next.js scoped packages with 2809 real versions in the registry.	ai	2026/04/24
typosquat	typosquat.levenshtein:ajv	AI (typosquat): @next/env is an official Vercel/Next.js scoped package; Levenshtein match to 'ajv' is purely coincidental with no brand impersonation.	ai	2026/04/21
bogus-package	bogus-package	AI (bogus-package): Inflated semver and minimal README are expected for Next.js sub-packages versioned in lockstep with the framework. Publisher is vercel-release-bot with strong track record.	ai	2026/04/21

Versions (showing 100 of 262)

Version	Deps	Published
16.2.6	0 / 3	2026-05-07
16.2.5	0 / 3	2026-05-06
16.2.4	0 / 3	2026-04-15
16.2.3	0 / 3	2026-04-08
16.2.2	0 / 3	2026-04-01
16.2.1	0 / 3	2026-03-20
16.2.0	0 / 3	2026-03-18
16.1.7	0 / 3	2026-03-16
16.1.6	0 / 3	2026-01-27
16.1.5	0 / 3	2026-01-26
16.1.4	0 / 3	2026-01-19
16.1.3	0 / 3	2026-01-16
16.1.2	0 / 3	2026-01-14
16.1.1	0 / 3	2025-12-22
16.1.0	0 / 3	2025-12-18
16.0.11	0 / 3	2026-01-26
16.0.10	0 / 3	2025-12-11
16.0.9	0 / 3	2025-12-11
16.0.8	0 / 3	2025-12-08
16.0.7	0 / 3	2025-12-03
16.0.6	0 / 3	2025-11-30
16.0.5	0 / 3	2025-11-26
16.0.4	0 / 3	2025-11-24
16.0.3	0 / 3	2025-11-13
16.0.2	0 / 3	2025-11-12
16.0.1	0 / 3	2025-10-28
16.0.0	0 / 3	2025-10-22
15.5.18	0 / 3	2026-05-07
15.5.16	0 / 3	2026-05-06
15.5.15	0 / 3	2026-04-08
15.5.14	0 / 3	2026-03-19
15.5.13	0 / 3	2026-03-16
15.5.12	0 / 3	2026-02-04
15.5.11	0 / 3	2026-01-28
15.5.10	0 / 3	2026-01-26
15.5.9	0 / 3	2025-12-11
15.5.8	0 / 3	2025-12-11
15.5.7	0 / 3	2025-12-03
15.5.6	0 / 3	2025-10-17
15.5.5	0 / 3	2025-10-13
15.5.4	0 / 3	2025-09-23
15.5.3	0 / 3	2025-09-10
15.5.2	0 / 3	2025-08-26
15.5.1	0 / 3	2025-08-26
15.5.0	0 / 3	2025-08-20
15.4.11	0 / 3	2026-01-26
15.4.10	0 / 3	2025-12-11
15.4.9	0 / 3	2025-12-11
15.4.8	0 / 3	2025-12-03
15.4.7	0 / 3	2025-08-18
15.4.6	0 / 3	2025-08-06
15.4.5	0 / 3	2025-07-29
15.4.4	0 / 3	2025-07-24
15.4.3	0 / 3	2025-07-22
15.4.2	0 / 3	2025-07-18
15.4.1	0 / 3	2025-07-14
15.4.0	0 / 3	2025-07-14
15.3.9	0 / 3	2026-01-26
15.3.8	0 / 3	2025-12-11
15.3.7	0 / 3	2025-12-11
15.3.6	0 / 3	2025-12-03
15.3.5	0 / 3	2025-07-03
15.3.4	0 / 3	2025-06-18
15.3.3	0 / 3	2025-05-29
15.3.2	0 / 3	2025-05-06
15.3.1	0 / 3	2025-04-17
15.3.0	0 / 3	2025-04-09
15.2.9	0 / 3	2026-01-26
15.2.8	0 / 3	2025-12-11
15.2.7	0 / 3	2025-12-11
15.2.6	0 / 3	2025-12-03
15.2.5	0 / 3	2025-04-08
15.2.4	0 / 3	2025-03-24
15.2.3	0 / 3	2025-03-18
15.2.2	0 / 3	2025-03-11
15.2.1	0 / 3	2025-03-03
15.2.0	0 / 3	2025-02-26
15.1.12	0 / 3	2026-01-26
15.1.11	0 / 3	2025-12-11
15.1.10	0 / 3	2025-12-11
15.1.9	0 / 3	2025-12-03
15.1.8	0 / 3	2025-05-22
15.1.7	0 / 3	2025-02-11
15.1.6	0 / 3	2025-01-22
15.1.5	0 / 3	2025-01-17
15.1.4	0 / 3	2025-01-07
15.1.3	0 / 3	2024-12-26
15.1.2	0 / 3	2024-12-19
15.1.1	0 / 3	2024-12-17
15.1.0	0 / 3	2024-12-10
15.0.8	0 / 3	2026-01-26
15.0.7	0 / 3	2025-12-11
15.0.6	0 / 3	2025-12-11
15.0.5	0 / 3	2025-12-03
15.0.4	0 / 3	2024-12-05
15.0.3	0 / 3	2024-11-07
15.0.2	0 / 3	2024-10-29
15.0.1	0 / 3	2024-10-23
15.0.0	0 / 3	2024-10-21
14.2.35	0 / 3	2025-12-11

Showing 100 of 262 Next page →

v16.2.6

2 findings

HIGH Publisher changed: vercel-release-bot → GitHub Actions (on 2026-05-07) provenance

This version was published by a different npm account than previous versions on 2026-05-07. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance