@volar/vue-code-gen — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

johnsoncodehk

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
bogus-package	bogus-package	AI (bogus-package): Signals reflect compiled build output with minimal metadata, not malware. Legitimate GitHub repo, proper license.	ai	2026/04/24
phantom-deps	phantom-dep:@volar/source-map	AI (phantom-deps): Same-org dependency used indirectly through build output; expected for monorepo packages.	ai	2026/04/24
phantom-deps	phantom-dep:@vue/compiler-dom	AI (phantom-deps): Vue framework package loaded by convention in compiler tooling; expected phantom dep pattern.	ai	2026/04/24
phantom-deps	phantom-dep:@vue/compiler-core	AI (phantom-deps): Vue framework package loaded by convention in compiler tooling; expected phantom dep pattern.	ai	2026/04/24
source-diff	source-size-dropped	AI (source-diff): Source files excluded from npm package per files field; compiled output only. Standard practice.	ai	2026/04/24
phantom-deps	phantom-dep:@vue/shared	AI (phantom-deps): Vue framework package loaded by convention in compiler tooling; expected phantom dep pattern.	ai	2026/04/24
phantom-deps	phantom-dep:@volar/code-gen	AI (phantom-deps): Same-org dependency used indirectly through build output; expected for monorepo packages.	ai	2026/04/24
source-diff	large-new-source-files	AI (source-diff): Volar is a Vue language tooling package; large generated JS files in out/ are expected build artifacts for a code generation library. This pattern is stable across versions.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Older package predating widespread Sigstore adoption; trusted publisher with 2533 approved packages. Absence of provenance is not a risk signal here.	ai	2026/04/23
dependencies	unvetted-dep:@vue/compiler-core	AI (dependencies): @vue/compiler-core is an official Vue.js core package, expected and appropriate for a Vue code generation library.	ai	2026/04/23
npm-metadata	no-description	AI (npm-metadata): Monorepo sub-package from the established Volar ecosystem; missing description is a stable cosmetic omission, not a malicious signal.	ai	2026/04/23

Versions (showing 24 of 24)

Version	Deps	Published
0.39.5	5 / 1	2022-08-06
0.39.2	5 / 1	2022-07-28
0.38.2	5 / 1	2022-06-26
0.38.0	5 / 1	2022-06-18
0.37.2	5 / 1	2022-06-07
0.37.0	5 / 1	2022-06-06
0.35.1	5 / 1	2022-05-30
0.34.17	5 / 1	2022-05-28
0.34.15	5 / 1	2022-05-15
0.34.13	5 / 1	2022-05-11
0.34.11	5 / 1	2022-04-29
0.34.8	5 / 1	2022-04-21
0.34.3	5 / 1	2022-04-10
0.34.1	5 / 1	2022-04-09
0.34.0	5 / 1	2022-04-09
0.33.9	5 / 1	2022-03-25
0.33.3	5 / 1	2022-03-21
0.33.1	7 / 1	2022-03-13
0.31.4	7 / 1	2022-02-13
0.31.3	7 / 1	2022-02-12
0.30.5	7 / 1	2022-01-17
0.30.3	7 / 1	2022-01-16
0.29.8	7 / 1	2021-11-30
0.29.2	7 / 1	2021-11-09

v0.39.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.