@vercel/nft — Greenflagged

[![CI Status](https://github.com/vercel/nft/actions/workflows/ci.yml/badge.svg)](https://github.com/vercel/nft/actions/workflows/ci.yml)

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

matheussmatt.strakavercel-release-botzeit-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from vercel-release-bot to GitHub Actions is a routine CI change within the Vercel org.	ai	2026/05/30
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get() is used inside a Proxy handler for module resolution interception — standard pattern for a module tracing tool, not obfuscation.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): Vercel org regularly updates maintainer roster as team grows; new maintainers are recognizable Vercel employees. No code changes accompany the roster update.	ai	2026/04/24
maintainer-change	maintainer-removed	AI (maintainer-change): Removed maintainers appear to be former Vercel staff; consistent with normal org churn. No suspicious code changes.	ai	2026/04/24
phantom-deps	phantom-dep:mkdirp	AI (phantom-deps): mkdirp is declared and used in config; phantom-dep pattern is stable for this package.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): picomatch is a well-known, widely-used glob library and is actually the engine underlying micromatch; this swap is a legitimate dependency simplification for this package.	ai	2026/04/24
dependencies	unvetted-dep:node-gyp-build	AI (dependencies): node-gyp-build is a standard native addon utility; its use in @vercel/nft for resolving native binary paths is expected and stable across versions.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require is core to nft's dependency-tracing functionality; it resolves node-gyp-build paths for native bindings analysis. Stable pattern across versions.	ai	2026/04/23
semgrep	semgrep:eval-usage	AI (semgrep): eval('require.resolve(...)') is a known bundler-safe pattern for module resolution in static analysis tools; not an attack vector in this context.	ai	2026/04/23

Versions (showing 13 of 13)

Version	Deps	Published
1.9.0	12 / 102	2026-05-27
1.4.0	12 / 102	2026-03-18
1.0.0	12 / 102	2025-11-20
0.29.3	12 / 104	2025-05-13
0.29.0	12 / 104	2025-01-02
0.28.0	12 / 104	2025-01-02
0.27.4	12 / 103	2024-09-03
0.22.6	11 / 99	2022-12-14
0.22.1	11 / 99	2022-09-01
0.17.3	11 / 94	2022-01-13
0.16.0	15 / 92	2021-10-11
0.9.3	16 / 84	2020-09-17
0.9.2	16 / 84	2020-09-04

v1.9.0

2 findings

HIGH Publisher changed: vercel-release-bot → GitHub Actions (on 2026-05-27) provenance

This version was published by a different npm account than previous versions on 2026-05-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.29.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.