@nuxt/schema
Nuxt types and default configuration
1
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
nuxtbot
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:jiti | AI (dependencies): jiti is a legitimate TypeScript/ESM runtime loader, a core dependency in the Nuxt/Vite ecosystem. No malicious signals; stable use across many Nuxt versions. | ai | |
| phantom-deps | phantom-dep:create-require | AI (phantom-deps): create-require is a CJS compatibility shim used indirectly; phantom-dep pattern is expected for this package. | ai | |
| phantom-deps | phantom-dep:scule | AI (phantom-deps): scule is a string utility used indirectly; phantom-dep pattern is expected for schema/config packages. | ai | |
| phantom-deps | phantom-dep:jiti | AI (phantom-deps): jiti is used indirectly via config resolution at runtime; phantom-dep pattern is expected for this package type. | ai | |
| phantom-deps | phantom-dep:c12 | AI (phantom-deps): c12 is a Nuxt config loader used indirectly at runtime; phantom-dep pattern is expected for schema/config packages. | ai | |
| dependencies | unvetted-dep:postcss-import-resolver | AI (dependencies): postcss-import-resolver is a standard PostCSS utility with no malicious signals; its use in a schema package for CSS config resolution is expected. | ai | |
| dependencies | unvetted-dep:@nuxt/ui-templates | AI (dependencies): @nuxt/ui-templates is a first-party Nuxt package; unvetted status is a false positive for ecosystem packages. | ai | |
| dependencies | unvetted-dep:compatx | AI (dependencies): compatx is a UnJS ecosystem utility, the same org as Nuxt. Legitimate dependency with stable usage across Nuxt versions. | ai | |
| dependencies | unvetted-dep:uncrypto | AI (dependencies): uncrypto is a UnJS ecosystem utility for cross-runtime crypto. Legitimate dependency maintained by the same Nuxt/UnJS team. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removed maintainers are known Nuxt core team; reflects shift to automated CI/CD publishing with provenance attestation. | ai | |
| provenance | publisher-changed | AI (provenance): Transition from danielroe to GitHub Actions CI/CD with SLSA provenance is a standard, secure publishing practice for the Nuxt framework. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): pkg-types is a legitimate UnJS ecosystem package maintained by the same org as Nuxt; its addition to @nuxt/schema is expected and benign. | ai | |
| dependencies | unvetted-dep:defu | AI (dependencies): defu is a well-known UnJS utility maintained by the same Nuxt/UnJS team; standard dependency across the Nuxt ecosystem. | ai | |
| dependencies | unvetted-dep:pkg-types | AI (dependencies): pkg-types is a stable utility package widely used in the Nuxt ecosystem; unvetted status does not reflect actual risk. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 3.2.2 | 13 / 8 |
v3.2.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.