← Home

@vercel/oidc

npm Repository Homepage

Runtime OIDC helpers intended for use with Vercel Functions

14
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

matheussmatt.strakavercel-release-botzeit-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:@types/ms AI (phantom-deps): @types/ms is an intentional runtime dependency alongside ms for type info; stable pattern for this package. ai
publish-pattern new-deps-added AI (publish-pattern): @vercel/cli-auth is a first-party Vercel package from the same monorepo; not a suspicious third-party addition. ai
provenance publisher-changed AI (provenance): Vercel migrated publishing to GitHub Actions CI; SLSA attestation confirms legitimate CI/CD origin. ai
maintainer-change maintainer-added AI (maintainer-change): New maintainer matt.straka is consistent with Vercel org team changes; SLSA provenance corroborates legitimate release. ai

Versions (showing 14 of 14)

Version Deps Published
3.5.0 0 / 6
3.4.1 0 / 6
3.4.0 0 / 6
3.3.1 0 / 7
3.3.0 1 / 7
3.2.1 0 / 6
3.2.0 0 / 6
3.1.0 0 / 6
3.0.5 0 / 6
3.0.4 0 / 6
3.0.3 0 / 6
3.0.2 0 / 6
3.0.1 0 / 6
3.0.0 2 / 6

v3.5.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.4.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.4.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.3.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.2.1

2 findings
HIGH Publisher changed: vercel-release-bot → GitHub Actions (on 2026-04-22) provenance

This version was published by a different npm account than previous versions on 2026-04-22. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.