@nuxt/vite-builder
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Major version bump inlined previously external deps via rolldown bundling. | ai | |
| source-diff | obfuscated-file:dist/_chunks/libs/@babel/core.mjs | AI (source-diff): Bundled @babel/core via rolldown; readable code, not obfuscated. | ai | |
| source-diff | net-exec-file:dist/_chunks/libs/@babel/core.mjs | AI (source-diff): Babel core legitimately uses dynamic code gen and module resolution; not malicious. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Nuxt core team members still control the GitHub org; npm maintainer list change reflects CI publish setup. | ai | |
| provenance | publisher-changed | AI (provenance): Transition from maintainer to GitHub Actions CI/CD publishing; SLSA provenance confirms legitimate pipeline. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Gap reflects v3→v4 major version cycle for Nuxt framework. SLSA provenance attestation from official GitHub Actions confirms legitimate publish. | ai | |
| source-diff | net-exec-file:dist/_chunks/index.d.mts | AI (source-diff): The network/exec imports in this .d.mts file are type-only declarations for node:net, node:http etc. — expected in a Vite build tool's type definitions, not dropper malware. | ai | |
| source-diff | obfuscated-file:dist/_chunks/index.d.mts | AI (source-diff): dist/_chunks/index.d.mts is a TypeScript declaration file with long type union lines, not obfuscated code. Expected for a Vite builder bundling complex type definitions. | ai | |
| source-diff | obfuscated-file:dist/_chunks/libs/@babel/parser.d.mts | AI (source-diff): TypeScript declaration file for @babel/parser with long type union lines. Normal bundled .d.mts artifact, not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/_chunks/libs/@vue/compiler-dom.d.mts | AI (source-diff): TypeScript declaration file with long import lines from bundled Vue compiler types. Not obfuscated or malicious. | ai | |
| source-diff | obfuscated-file:dist/_chunks/libs/@vue/compiler-core.d.mts | AI (source-diff): TypeScript declaration file with long lines from bundled type unions — not executable code, not obfuscated. Normal artifact for bundled .d.mts output in Nuxt/Vite packages. | ai | |
| source-diff | net-exec-file:dist/_chunks/libs/@vue/compiler-core.d.mts | AI (source-diff): .d.mts files are TypeScript declarations, never executed at runtime. net-exec detection on declaration files is a false positive for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Monorepo sub-package of nuxt/nuxt; README linking to docs is expected, no keywords is normal for monorepo packages. Not a spam/phishing package. | ai | |
| phantom-deps | phantom-dep:mocked-exports | AI (phantom-deps): mocked-exports is a declared runtime dependency; phantom-dep false positive for this build tool package. | ai | |
| phantom-deps | phantom-dep:autoprefixer | AI (phantom-deps): autoprefixer is a declared runtime dependency used in build config helpers; phantom-dep false positive for build tools. | ai | |
| phantom-deps | phantom-dep:postcss | AI (phantom-deps): postcss is a declared runtime dependency used in build config helpers; phantom-dep false positive for build tools. | ai | |
| phantom-deps | phantom-dep:cssnano | AI (phantom-deps): cssnano is a declared runtime dependency used in build config helpers; phantom-dep false positive for build tools. | ai |
Versions (showing 26 of 26)
| Version | Deps | Published |
|---|---|---|
| 4.4.6 | 28 / 11 | |
| 4.4.5 | 28 / 11 | |
| 4.4.4 | 28 / 11 | |
| 4.4.2 | 28 / 11 | |
| 4.3.1 | 29 / 8 | |
| 4.3.0 | 29 / 8 | |
| 4.2.2 | 30 / 6 | |
| 4.2.1 | 30 / 6 | |
| 4.2.0 | 30 / 6 | |
| 4.1.3 | 29 / 6 | |
| 4.1.2 | 29 / 5 | |
| 4.1.1 | 29 / 5 | |
| 4.1.0 | 29 / 5 | |
| 4.0.3 | 29 / 5 | |
| 4.0.2 | 29 / 5 | |
| 4.0.1 | 29 / 5 | |
| 4.0.0 | 30 / 4 | |
| 3.21.6 | 31 / 9 | |
| 3.21.5 | 31 / 9 | |
| 3.21.4 | 31 / 9 | |
| 3.21.2 | 31 / 9 | |
| 3.21.1 | 32 / 8 | |
| 3.21.0 | 32 / 8 | |
| 3.20.2 | 33 / 6 | |
| 3.20.1 | 33 / 6 | |
| 3.20.0 | 33 / 6 |
v4.4.6
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.4.5
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.4.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.4.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.3.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.2.0
2 findingsThis version was published by a different npm account than previous versions on 2025-10-25. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.3
2 findingsThis version was published by a different npm account than previous versions on 2025-10-06. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.2
2 findingsThis version was published by a different npm account than previous versions on 2025-09-12. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.1
2 findingsThis version was published by a different npm account than previous versions on 2025-09-05. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-02. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.21.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.21.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.21.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.21.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.