← Home

@vueuse/core

npm Repository Homepage

Collection of essential Vue Composition Utilities

6
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

vueuse-bot

Keywords

vuevue-useutils

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance missing-githead AI (provenance): Missing gitHead is expected when switching to GitHub Actions publishing; SLSA provenance attestation provides stronger supply chain integrity than gitHead alone. ai
source-diff obfuscated-file:dist/index.d.ts AI (source-diff): dist/index.d.ts is a bundled TypeScript declaration file with long lines from concatenated type exports — not obfuscation. This is standard practice for bundled .d.ts files in the vueuse ecosystem. ai
provenance publisher-changed AI (provenance): Migration from vueuse-bot to GitHub Actions with SLSA provenance attestation is a legitimate and security-improving CI/CD transition for this established package. ai
dependencies unvetted-dep:@vueuse/metadata AI (dependencies): @vueuse/metadata is a first-party monorepo sibling package from the vueuse org, always pinned to the same version as @vueuse/core. Not a third-party risk. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Reflect.get() in @vueuse/core is used in a Proxy handler for case-insensitive property aliasing — a standard JS pattern, not obfuscation. Stable false positive for this package. ai
phantom-deps phantom-dep:@types/web-bluetooth AI (phantom-deps): @types/web-bluetooth provides global type augmentation for Web Bluetooth APIs used by @vueuse/core composables. Declaring it as a dep for type propagation is intentional and stable. ai
typosquat typosquat.levenshtein:cors AI (typosquat): @vueuse/core is the legitimate VueUse core package by Anthony Fu; levenshtein match to 'cors' is a false positive for this well-known scoped package. ai
bogus-package bogus-package AI (bogus-package): Inflated semver reflects the VueUse monorepo versioning convention; this is a legitimate package from a mature project, not a spam/bogus package. ai
email-domain unclaimed-email:https://github.com/antfu AI (email-domain): Author field uses a GitHub profile URL instead of an email address; github.com is a valid domain. This is a formatting quirk, not a security risk. ai

Versions (showing 6 of 6)

Version Deps Published
14.3.0 3 / 0
14.2.1 3 / 0
14.2.0 3 / 0
14.1.0 3 / 0
14.0.0 3 / 0
12.0.0 4 / 0

v14.3.0

2 findings
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v14.2.0

4 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH Publisher changed: vueuse-bot → GitHub Actions (on 2026-01-31) provenance

This version was published by a different npm account than previous versions on 2026-01-31. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/index.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.1.0

4 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH Publisher changed: vueuse-bot → GitHub Actions (on 2025-11-27) provenance

This version was published by a different npm account than previous versions on 2025-11-27. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/index.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.0.0

3 findings
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: vueuse-bot → GitHub Actions (on 2025-10-22) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-22. This could indicate a legitimate maintainer transition or an account compromise.

v12.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.