@vueuse/components — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

vueuse-bot

Keywords

vuevue-useutils

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from vueuse-bot to GitHub Actions is a documented CI migration; SLSA attestation confirms official repo pipeline.	ai	2026/05/02
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy reflects publishing cadence change, not takeover; SLSA provenance and org repo URL confirm legitimacy.	ai	2026/05/02
email-domain	unclaimed-email:https://github.com/wheatjs	AI (email-domain): Author field contains a GitHub URL, not an email domain; no registerable domain at risk. Stable false positive for this package.	ai	2026/04/28

Versions (showing 6 of 6)

Version	Deps	Published
14.3.0	2 / 0	2026-05-01
14.2.1	2 / 0	2026-02-10
14.2.0	2 / 0	2026-01-31
14.1.0	2 / 0	2025-11-27
14.0.0	2 / 0	2025-10-22
13.1.0	2 / 0	2025-04-08

v14.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.2.1

2 findings

HIGH Unclaimed maintainer email domain: https://github.com/wheatjs email-domain

Maintainer email 'https://github.com/wheatjs' uses domain 'https://github.com/wheatjs' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.2.0

2 findings

HIGH Publisher changed: vueuse-bot → GitHub Actions (on 2026-01-31) provenance

This version was published by a different npm account than previous versions on 2026-01-31. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.1.0

2 findings

HIGH Publisher changed: vueuse-bot → GitHub Actions (on 2025-11-27) provenance

This version was published by a different npm account than previous versions on 2025-11-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.0.0

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: vueuse-bot → GitHub Actions (on 2025-10-22) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-22. This could indicate a legitimate maintainer transition or an account compromise.

v13.1.0

2 findings

HIGH Unclaimed maintainer email domain: https://github.com/wheatjs email-domain

Maintainer email 'https://github.com/wheatjs' uses domain 'https://github.com/wheatjs' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.