@vueuse/nuxt — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

vueuse-bot

Keywords

vuevueusenuxtnuxt3nuxt-module

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from vueuse-bot to GitHub Actions with SLSA attestation is a legitimate CI/CD migration for this well-known package.	ai	2026/05/02
typosquat	typosquat.levenshtein:next	AI (typosquat): Scoped package @vueuse/nuxt is the official VueUse Nuxt module; no relation to the 'next' package.	ai	2026/04/28
email-domain	unclaimed-email:https://github.com/antfu	AI (email-domain): Author field uses a GitHub profile URL, not an email address; not an exploitable domain hijack vector.	ai	2026/04/28

Versions (showing 6 of 6)

Version	Deps	Published
14.3.0	4 / 3	2026-05-01
14.2.1	4 / 3	2026-02-10
14.2.0	4 / 3	2026-01-31
14.1.0	4 / 3	2025-11-27
14.0.0	4 / 3	2025-10-22
13.1.0	4 / 3	2025-04-08

v14.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.2.1

3 findings

HIGH typosquat.levenshtein: Possible typosquat of 'next' typosquat

Package name '@vueuse/nuxt' is 1 edit(s) away from popular package 'next'.

HIGH Unclaimed maintainer email domain: https://github.com/antfu email-domain

Maintainer email 'https://github.com/antfu' uses domain 'https://github.com/antfu' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.2.0

2 findings

HIGH Publisher changed: vueuse-bot → GitHub Actions (on 2026-01-31) provenance

This version was published by a different npm account than previous versions on 2026-01-31. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.1.0

2 findings

HIGH Publisher changed: vueuse-bot → GitHub Actions (on 2025-11-27) provenance

This version was published by a different npm account than previous versions on 2025-11-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.0.0

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: vueuse-bot → GitHub Actions (on 2025-10-22) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-22. This could indicate a legitimate maintainer transition or an account compromise.

v13.1.0

3 findings

HIGH typosquat.levenshtein: Possible typosquat of 'next' typosquat

Package name '@vueuse/nuxt' is 1 edit(s) away from popular package 'next'.

HIGH Unclaimed maintainer email domain: https://github.com/antfu email-domain

Maintainer email 'https://github.com/antfu' uses domain 'https://github.com/antfu' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.