nuxt
7
Versions
—
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
nuxtbot
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Nuxt is a major framework with CI/CD-based releases; gap in publishing cadence is not indicative of takeover given SLSA provenance and no material changes. | ai | |
| phantom-deps | phantom-dep:@nuxt/nitro-server | AI (phantom-deps): Framework-scoped package loaded by Nuxt convention, not direct import. Consistent with Nuxt's documented architecture for server/builder packages. | ai | |
| dependencies | unvetted-dep:@nuxt/schema | AI (dependencies): @nuxt/schema is a first-party Nuxt monorepo package, always co-versioned with nuxt itself. Not a security concern. | ai | |
| dependencies | unvetted-dep:@nuxt/devtools | AI (dependencies): @nuxt/devtools is an official Nuxt ecosystem package maintained by the Nuxt team. Expected dependency for the framework. | ai | |
| dependencies | unvetted-dep:unplugin-vue-router | AI (dependencies): unplugin-vue-router is a well-known Vue Router plugin maintained by the Vue/Nuxt ecosystem. Expected dependency for Nuxt's file-based routing. | ai | |
| phantom-deps | phantom-dep:@nuxt/telemetry | AI (phantom-deps): Framework-scoped package loaded by convention in Nuxt; not directly imported by design. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@nuxt/vite-builder | AI (phantom-deps): Framework-scoped package loaded by convention in Nuxt; not directly imported by design. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@dxup/nuxt | AI (phantom-deps): Referenced in config files as a Nuxt integration/plugin; not directly imported by design. Consistent with Nuxt ecosystem patterns. | ai | |
| phantom-deps | phantom-dep:@nuxt/devtools | AI (phantom-deps): Framework-scoped package loaded by convention in Nuxt; not directly imported by design. Stable pattern for this package. | ai |
Versions (showing 7 of 7)
| Version | Deps | Published |
|---|---|---|
| 4.4.2 | 56 / 12 | |
| 4.3.0 | 57 / 11 | |
| 3.21.1 | 57 / 11 | |
| 3.21.0 | 57 / 11 | |
| 3.20.2 | 57 / 11 | |
| 3.20.1 | 57 / 11 | |
| 3.20.0 | 57 / 11 |
v4.4.2
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.3.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.21.1
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.20.1
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.