← Home

@vue/language-core

npm Repository Homepage

<p> <a href="https://www.npmjs.com/package/@vue/language-core"><img src="https://img.shields.io/npm/v/@vue/language-core.svg?labelColor=18181B&color=1584FC" alt="NPM version"></a> <a href="https://github.com/vuejs/language-tools/blob/master/LICENSE"><

51
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

johnsoncodehkkazariex

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern new-deps-added AI (publish-pattern): alien-signals is a legitimate reactive signals library by the same maintainer, replacing computeds as an internal dependency swap within the Vue language tools ecosystem. ai
provenance publisher-changed AI (provenance): kazariex is a known Vue ecosystem contributor; this is a legitimate maintainer transition within the vuejs/language-tools project, not a compromise. ai
maintainer-change maintainer-added AI (maintainer-change): kazariex is a recognized contributor to the official vuejs/language-tools repo; addition is a legitimate team change. ai
source-diff large-new-source-files AI (source-diff): This is a compiled TypeScript monorepo package; large JS build artifacts are expected across versions. No malicious content indicated. ai
dependencies unvetted-dep:vue-template-compiler AI (dependencies): vue-template-compiler is the official Vue 2 template compiler; its use in @vue/language-core for Vue 2 syntax support is expected and legitimate across all versions of this package. ai
provenance no-provenance AI (provenance): Lack of Sigstore provenance is a best-practice gap, not a security blocker for established publisher. ai
npm-metadata no-description AI (npm-metadata): Monorepo sub-package from the official vuejs/language-tools repo; missing description is a cosmetic issue, not a malware indicator. ai
dependencies unvetted-dep:@vue/compiler-vue2 AI (dependencies): @vue/compiler-vue2 is an official Vue 2 compiler package used by Vue language-tools to support Vue 2 SFC syntax; its presence is expected and legitimate for this package. ai
dependencies unvetted-dep:muggle-string AI (dependencies): muggle-string is a legitimate utility library; stable constraint and accepted risk for this package. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require of resolved Vue package.json for version detection; normal pattern in Vue tooling, not arbitrary loading. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Reflect.get() used for legitimate Vue template offset handling, not evasion; stable pattern for this package. ai

Versions (showing 51 of 69)

Hide prereleases View all versions
Version Deps Published
3.3.1 7 / 5
3.3.0 7 / 5
3.2.9 7 / 5
3.2.8 7 / 5
2.2.10 8 / 5
2.2.6 8 / 5
2.1.8 8 / 5
2.1.5 8 / 5
2.1.4 8 / 5
2.1.2 8 / 5
2.1.0 8 / 5
2.0.29 8 / 5
2.0.20 7 / 4
2.0.19 7 / 4
2.0.11 7 / 4
2.0.10 7 / 4
2.0.6 7 / 4
2.0.5 7 / 4
1.8.27 9 / 4
1.8.26 9 / 4
1.8.25 9 / 4
1.8.24 9 / 4
1.8.22 8 / 2
1.8.21 8 / 2
1.8.20 8 / 2
1.8.19 8 / 2
1.8.18 8 / 2
1.8.17 8 / 2
1.8.16 8 / 2
1.8.15 8 / 2
1.8.14 8 / 2
1.8.13 8 / 2
1.8.12 8 / 2
1.8.11 8 / 2
1.8.10 8 / 2
1.8.8 8 / 2
1.8.7 8 / 2
1.8.6 8 / 2
1.8.5 8 / 2
1.8.4 8 / 2
1.8.3 8 / 2
1.8.2 8 / 2
1.8.1 8 / 2
1.8.0 8 / 2
1.7.14 8 / 2
1.7.13 8 / 2
1.7.12 8 / 2
1.7.11 8 / 2
1.7.10 8 / 2
1.7.9 8 / 2
1.7.8 8 / 2

v3.3.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.2.9

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.2.8

2 findings
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: kazariex → GitHub Actions (on 2026-05-04) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-04. This could indicate a legitimate maintainer transition or an account compromise.

v2.2.10

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.6

2 findings
HIGH Publisher changed: johnsoncodehk → kazariex (on 2025-03-01) provenance

This version was published by a different npm account than previous versions on 2025-03-01. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.8

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.5

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.29

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.20

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.19

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.11

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.10

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.6

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.5

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.