← Home

@vercel/microfrontends

npm Repository Homepage
8
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

matheussmatt.strakavercel-release-botzeit-bot

Keywords

microfrontendsmicro-frontendsmicro frontendsmicroservicesVercelNext.jsReact

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Vercel migrated publishing from vercel-release-bot to GitHub Actions CI; SLSA attestation confirms legitimate pipeline. ai
publish-pattern dormant-publish AI (publish-pattern): vercel-release-bot with strong track record; v2.0.0 major release explains gap. ai
maintainer-change maintainer-removed AI (maintainer-change): Vercel org manages maintainers centrally; removal consistent with team changes, not takeover. ai
publish-pattern new-deps-added AI (publish-pattern): md5 and semver are established, low-risk packages appropriate for config/validation tooling from a trusted Vercel publisher. ai
phantom-deps phantom-dep:@types/md5 AI (phantom-deps): @types/md5 is a type declaration for the md5 runtime dep; declared in dependencies for type resolution, stable false positive. ai
dependencies unvetted-dep:http-proxy AI (dependencies): http-proxy is a well-established package; its use here is consistent with the proxy functionality of this microfrontends library. ai

Versions (showing 8 of 8)

Version Deps Published
2.3.3 12 / 25
2.3.2 12 / 25
2.3.1 12 / 25
2.2.2 12 / 25
2.1.3 12 / 26
2.1.2 12 / 26
2.0.0 12 / 26
1.2.2 9 / 25

v2.3.3

2 findings
HIGH Publisher changed: vercel-release-bot → GitHub Actions (on 2026-05-19) provenance

This version was published by a different npm account than previous versions on 2026-05-19. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.3.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.3.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.