@nuxt/nitro-server — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

nuxtbot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/_chunks/libs/@vue/compiler-dom.d.mts	AI (source-diff): Bundled TypeScript declaration file with many re-exports produces long lines; this is normal for framework packages bundling vendor types.	ai	2026/04/27
phantom-deps	phantom-dep:klona	AI (phantom-deps): klona is a legitimate UnJS ecosystem package declared as a dependency; used indirectly through bundled code in this framework package.	ai	2026/04/27
source-diff	net-exec-file:dist/_chunks/libs/@vitejs/plugin-vue-jsx.d.mts	AI (source-diff): TypeScript declaration files (.d.mts) are not executed at runtime. Node:http imports are type-only references, not actual network/exec code. Stable false positive for this package.	ai	2026/04/27
source-diff	obfuscated-file:dist/_chunks/libs/@vitejs/plugin-vue-jsx.d.mts	AI (source-diff): Bundled Vite/Vue JSX plugin declaration file; long lines are expected in bundled .d.mts files.	ai	2026/04/27
source-diff	obfuscated-file:dist/_chunks/libs/@babel/parser.d.mts	AI (source-diff): Bundled Babel TypeScript declaration file; long lines are expected in autogenerated/bundled .d.ts files.	ai	2026/04/27
source-diff	obfuscated-file:dist/runtime/templates/error-500.mjs	AI (source-diff): This file contains a minified inline HTML/CSS/JS error page template, a standard pattern for Nuxt/Nitro error pages. Not obfuscated — long lines are expected for inline HTML templates.	ai	2026/04/27
phantom-deps	phantom-dep:mocked-exports	AI (phantom-deps): mocked-exports is a build-time stub dependency used in Nuxt's module system config files, not directly imported. This is a stable pattern for this package.	ai	2026/04/27
phantom-deps	phantom-dep:vue-devtools-stub	AI (phantom-deps): vue-devtools-stub is a build-time stub dependency used in Nuxt's module system config files. This is a stable pattern for this package.	ai	2026/04/27
dependencies	unvetted-dep:nitropack	AI (dependencies): nitropack is a core Nuxt/UnJS ecosystem package; legitimate dependency for @nuxt/nitro-server across all versions.	ai	2026/04/26
dependencies	unvetted-dep:@unhead/vue	AI (dependencies): @unhead/vue is the official Vue head management library used throughout the Nuxt ecosystem.	ai	2026/04/26
dependencies	unvetted-dep:pkg-types	AI (dependencies): pkg-types is a well-known UnJS utility package; legitimate dependency for this Nuxt monorepo package.	ai	2026/04/26
dependencies	unvetted-dep:vue-devtools-stub	AI (dependencies): vue-devtools-stub is a known stub package for Vue devtools in production builds; legitimate use.	ai	2026/04/26
dependencies	unvetted-dep:mocked-exports	AI (dependencies): mocked-exports is a build stub utility used in Nuxt's module aliasing system; legitimate use.	ai	2026/04/26
dependencies	unvetted-dep:@nuxt/devalue	AI (dependencies): @nuxt/devalue is an official Nuxt scoped package for value serialization; expected dependency.	ai	2026/04/26
dependencies	unvetted-dep:vue-bundle-renderer	AI (dependencies): vue-bundle-renderer is a UnJS/Nuxt ecosystem package for SSR bundle rendering; legitimate dependency.	ai	2026/04/26
bogus-package	bogus-package	AI (bogus-package): Official Nuxt monorepo package with SLSA provenance; README link density reflects Nuxt docs style, not spam.	ai	2026/04/26

Versions (showing 18 of 18)

Version	Deps	Published
4.4.6	27 / 7	2026-05-18
4.4.5	28 / 6	2026-05-10
4.4.4	28 / 6	2026-04-29
4.4.2	29 / 6	2026-03-12
4.3.1	27 / 4	2026-02-07
4.3.0	27 / 4	2026-01-22
4.2.2	26 / 4	2025-12-09
4.2.1	26 / 4	2025-11-06
4.2.0	26 / 4	2025-10-25
3.21.6	27 / 4	2026-05-18
3.21.5	27 / 4	2026-05-10
3.21.4	27 / 4	2026-04-29
3.21.2	27 / 4	2026-03-12
3.21.1	27 / 4	2026-02-07
3.21.0	27 / 4	2026-01-22
3.20.2	26 / 4	2025-12-09
3.20.1	26 / 4	2025-11-06
3.20.0	26 / 4	2025-10-28

v4.4.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.4.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.4.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.4.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.3.0

2 findings

HIGH New obfuscated file: dist/runtime/templates/error-500.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.21.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.21.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.21.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.21.2

2 findings

HIGH New obfuscated file: dist/runtime/templates/error-500.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.21.1

6 findings

HIGH New obfuscated file: dist/runtime/templates/error-500.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/libs/@vue/compiler-dom.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/libs/@babel/parser.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/libs/@vitejs/plugin-vue-jsx.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/_chunks/libs/@vitejs/plugin-vue-jsx.d.mts source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.