@vitejs/plugin-rsc — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

yyx990803vitebot

reactreact-server-componentsrscvitevite-plugin

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:dist/plugin-BK29Va7z.js	AI (source-diff): Bundled build artifact with standard Node/Vite imports; no actual network fetch or dynamic eval present.	ai	2026/06/02
maintainer-change	maintainer-removed	AI (maintainer-change): vitejs org uses CI-automated publishing; maintainer list changes are expected and SLSA provenance confirms legitimate CI origin.	ai	2026/06/02
source-diff	net-exec-file:dist/plugin-COe11H-Q.js	AI (source-diff): New bundled dist file contains standard Vite plugin imports; no actual dropper/malware pattern present.	ai	2026/05/02

2 findings

HIGH New file with network + code execution: dist/plugin-BK29Va7z.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.