@volar/vue-language-core
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Provenance attestation is a best practice but not a blocker for established packages with strong publisher track record. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Missing description is benign for an established scoped package from a trusted publisher with 112 prior versions. | ai | |
| dependencies | unvetted-dep:muggle-string | AI (dependencies): muggle-string is a utility package authored by the same maintainer (johnsoncodehk) as part of the Volar ecosystem; not a risk. | ai | |
| dependencies | unvetted-dep:vue-template-compiler | AI (dependencies): vue-template-compiler is the official Vue 2 template compiler from the vuejs org; a legitimate and expected dependency for Vue language tooling. | ai | |
| dependencies | unvetted-dep:@vue/compiler-core | AI (dependencies): Standard Vue ecosystem dependency; appropriate for Vue language service package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is used for controlled plugin loading with path resolution constrained to rootDir; legitimate pattern for this package. | ai | |
| dependencies | unvetted-dep:@vue/compiler-sfc | AI (dependencies): Standard Vue ecosystem dependency; appropriate for Vue language service package. | ai |
Versions (showing 32 of 32)
| Version | Deps | Published |
|---|---|---|
| 1.6.5 | 9 / 1 | |
| 1.6.4 | 9 / 1 | |
| 1.6.2 | 9 / 1 | |
| 1.6.1 | 9 / 1 | |
| 1.6.0 | 9 / 1 | |
| 1.5.3 | 9 / 1 | |
| 1.5.2 | 9 / 1 | |
| 1.4.1 | 9 / 1 | |
| 1.3.19 | 9 / 1 | |
| 1.3.15 | 9 / 1 | |
| 1.3.13 | 9 / 1 | |
| 1.3.8 | 9 / 1 | |
| 1.3.6 | 9 / 1 | |
| 1.3.4 | 9 / 1 | |
| 1.1.5 | 9 / 1 | |
| 1.0.24 | 8 / 1 | |
| 1.0.18 | 8 / 1 | |
| 1.0.6 | 8 / 1 | |
| 0.40.13 | 7 / 2 | |
| 0.40.12 | 7 / 2 | |
| 0.40.11 | 7 / 2 | |
| 0.40.9 | 7 / 2 | |
| 0.40.6 | 7 / 2 | |
| 0.40.5 | 7 / 2 | |
| 0.40.3 | 7 / 2 | |
| 0.40.2 | 7 / 2 | |
| 0.40.0 | 7 / 2 | |
| 0.39.5 | 5 / 2 | |
| 0.39.4 | 5 / 2 | |
| 0.39.3 | 5 / 2 | |
| 0.39.2 | 5 / 2 | |
| 0.39.0 | 5 / 2 |
v1.6.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.39.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.39.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.39.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.39.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.39.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.