@nuxt/kit
Toolkit for authoring modules and interacting with Nuxt
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | no-description | AI (npm-metadata): @nuxt/kit is a core Nuxt framework package; missing description is a metadata gap, not a malware signal. | ai | |
| provenance | no-provenance | AI (provenance): Established Nuxt core package predates Sigstore provenance adoption; not a security concern. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps (rc9, knitwork) are established utility packages appropriate for a toolkit; no malicious patterns. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate maintainer transition from danielroe to GitHub Actions CI/CD; consistent with Nuxt's automated release process. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removed maintainers are Nuxt core team members; normal organizational change, not a takeover. | ai | |
| phantom-deps | phantom-dep:std-env | AI (phantom-deps): std-env is a known phantom dependency pattern for this package; stable across versions. | ai | |
| dependencies | unvetted-dep:unimport | AI (dependencies): unimport is a core UnJS/Nuxt ecosystem utility for auto-imports; its use in @nuxt/kit is expected and stable across versions. | ai | |
| dependencies | unvetted-dep:unctx | AI (dependencies): unctx is a standard context utility; appropriate dependency for a Nuxt toolkit. | ai | |
| dependencies | unvetted-dep:klona | AI (dependencies): klona is a standard cloning utility; appropriate dependency for a Nuxt toolkit. | ai | |
| dependencies | unvetted-dep:untyped | AI (dependencies): untyped is a standard type utility; appropriate dependency for a Nuxt toolkit. | ai | |
| dependencies | unvetted-dep:c12 | AI (dependencies): c12 is a standard config utility; appropriate dependency for a Nuxt toolkit. | ai | |
| dependencies | unvetted-dep:rc9 | AI (dependencies): rc9 is a standard config utility; appropriate dependency for a Nuxt toolkit. | ai | |
| dependencies | unvetted-dep:defu | AI (dependencies): defu is a standard utility for object defaults; appropriate dependency for a Nuxt toolkit. | ai | |
| dependencies | unvetted-dep:errx | AI (dependencies): errx is a standard error utility; appropriate dependency for a Nuxt toolkit. | ai | |
| dependencies | unvetted-dep:ohash | AI (dependencies): ohash is a standard hashing utility; appropriate dependency for a Nuxt toolkit. | ai | |
| dependencies | unvetted-dep:pkg-types | AI (dependencies): pkg-types is a standard transitive dependency with reasonable version constraint; stable for this package. | ai | |
| dependencies | unvetted-dep:jiti | AI (dependencies): jiti is a standard transitive dependency with reasonable version constraint; stable for this package. | ai | |
| typosquat | typosquat.levenshtein:got | AI (typosquat): Scoped package @nuxt/kit is not a typosquat; Levenshtein distance matching on scoped names produces false positives. | ai | |
| typosquat | typosquat.levenshtein:vite | AI (typosquat): Scoped package @nuxt/kit is not a typosquat; Levenshtein distance matching on scoped names produces false positives. | ai | |
| typosquat | typosquat.levenshtein:koa | AI (typosquat): Scoped package @nuxt/kit is not a typosquat; Levenshtein distance matching on scoped names produces false positives. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 0.6.4 | 14 / 1 | |
| 0.6.3 | 14 / 1 | |
| 0.6.2 | 14 / 1 | |
| 0.6.1 | 14 / 1 | |
| 0.6.0 | 14 / 1 | |
| 0.5.3 | 13 / 1 | |
| 0.5.2 | 13 / 1 | |
| 0.5.1 | 13 / 1 | |
| 0.5.0 | 13 / 1 | |
| 0.4.0 | 13 / 1 | |
| 0.3.0 | 13 / 1 | |
| 0.2.0 | 13 / 0 |
v0.6.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: danielroe.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-06-16. This could indicate a legitimate maintainer transition or an account compromise.
v0.6.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.