@vercel/ncc
Simple CLI for compiling a Node.js module into a single file, together with all its dependencies, gcc-style.
37
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
nick.traceymatt.strakavercel-release-botzeit-bot
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): vercel-release-bot is Vercel's official release automation account with 1524 approved packages. Publisher change from styfle (Vercel employee) to release bot is a legitimate organizational transition. | ai | |
| source-diff | encoded-string-file:dist/ncc/index.js.cache.js | AI (source-diff): Cache files in ncc contain bundled library code (MIME type databases, minified deps). Long encoded strings are expected artifacts of ncc's bundling process, not malicious payloads. | ai | |
| source-diff | encoded-string-file:dist/ncc/loaders/ts-loader.js.cache.js | AI (source-diff): ts-loader cache contains bundled TypeScript compiler internals. Long encoded strings are TypeScript AST/compiler exports, expected for ncc's ts-loader bundle. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Vercel consolidated to vercel-release-bot for publishing. Mass maintainer removal is consistent with organizational automation transition, not a takeover. | ai |
Versions (showing 37 of 37)
| Version | Deps | Published |
|---|---|---|
| 0.38.4 | 0 / 89 | |
| 0.38.3 | 0 / 89 | |
| 0.38.2 | 0 / 89 | |
| 0.38.1 | 0 / 89 | |
| 0.38.0 | 0 / 89 | |
| 0.37.0 | 0 / 89 | |
| 0.36.1 | 0 / 90 | |
| 0.36.0 | 0 / 91 | |
| 0.34.0 | 0 / 91 | |
| 0.33.4 | 0 / 90 | |
| 0.33.3 | 0 / 90 | |
| 0.33.2 | 0 / 90 | |
| 0.33.1 | 0 / 92 | |
| 0.33.0 | 0 / 92 | |
| 0.32.0 | 0 / 92 | |
| 0.31.1 | 0 / 92 | |
| 0.31.0 | 0 / 92 | |
| 0.30.0 | 0 / 92 | |
| 0.29.2 | 0 / 92 | |
| 0.29.1 | 0 / 92 | |
| 0.29.0 | 0 / 92 | |
| 0.28.6 | 0 / 92 | |
| 0.28.5 | 0 / 92 | |
| 0.28.4 | 0 / 92 | |
| 0.28.3 | 0 / 93 | |
| 0.28.2 | 0 / 93 | |
| 0.28.1 | 0 / 93 | |
| 0.28.0 | 0 / 93 | |
| 0.27.0 | 0 / 93 | |
| 0.26.2 | 0 / 93 | |
| 0.26.1 | 0 / 93 | |
| 0.26.0 | 0 / 93 | |
| 0.25.1 | 0 / 93 | |
| 0.25.0 | 0 / 92 | |
| 0.24.1 | 0 / 91 | |
| 0.24.0 | 0 / 91 | |
| 0.23.0 | 0 / 91 |