vue
The progressive JavaScript framework for building modern web UI.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/vue.common.js | AI (source-diff): Vue.js dist bundle legitimately uses new Function() for template compilation and may reference network APIs. Standard framework build output. | ai | |
| phantom-deps | phantom-dep:envify | AI (phantom-deps): envify is used as a browserify transform declared in package.json's browserify config, not a direct import. Legitimate pattern. | ai | |
| source-diff | obfuscated-file:coverage/PhantomJS 1.9.7 (Mac OS X)/lcov-report/prettify.js | AI (source-diff): Google code-prettify bundled in karma-coverage lcov HTML report output; minified by design, not obfuscated malware. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Vue's internal ViewModel.require for component module resolution; standard framework pattern. | ai | |
| source-diff | net-exec-file:dist/vue.js | AI (source-diff): dist/vue.js is Vue's standard bundled distribution file; network+exec pattern is the Component.js module loader, not malware. | ai | |
| provenance | missing-githead | AI (provenance): Vue 3 monorepo publish workflow differs from Vue 2; missing gitHead is expected for this package's build pipeline. | ai | |
| source-diff | obfuscated-file:coverage/PhantomJS 1.9.2 (Mac OS X)/lcov-report/prettify.js | AI (source-diff): Google code-prettify library shipped minified inside a Karma/Istanbul coverage report artifact. Not malicious obfuscation. | ai | |
| source-diff | net-exec-file:dist/vue.global.js | AI (source-diff): Vue's global IIFE build; template compiler requires dynamic code execution. Standard framework distribution file. | ai | |
| source-diff | obfuscated-file:dist/vue.runtime.global.prod.js | AI (source-diff): Minified runtime-only global production build; standard Vue distribution artifact. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Vue ships multiple dist bundles (ESM, global, runtime, full); 33 files is normal for Vue 3.x distribution. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Diff baseline is v0.8.1 (ancient); Vue 3.x is naturally much larger. Size is consistent with the framework. | ai | |
| source-diff | net-exec-file:dist/vue.esm-browser.js | AI (source-diff): Vue's template compiler and runtime legitimately use dynamic code execution (new Function) and network-related patterns. Standard framework code. | ai | |
| source-diff | net-exec-file:dist/vue.esm-browser.prod.js | AI (source-diff): Minified production build of Vue's ESM browser bundle; same legitimate code as the non-minified version. | ai | |
| source-diff | obfuscated-file:dist/vue.runtime.esm-browser.prod.js | AI (source-diff): Minified runtime-only ESM production build; standard Vue distribution artifact. | ai | |
| source-diff | net-exec-file:dist/vue.global.prod.js | AI (source-diff): Minified production build of Vue's global bundle; legitimate framework code. | ai | |
| source-diff | obfuscated-file:dist/vue.esm-browser.prod.js | AI (source-diff): Standard minified production build of Vue.js; .prod.js files are always minified. Not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/vue.global.prod.js | AI (source-diff): Standard minified production build; long lines are from minification, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/vue.runtime-with-vapor.esm-browser.prod.js | AI (source-diff): Minified production bundle; standard for Vue.js distribution artifacts. | ai | |
| source-diff | obfuscated-file:dist/vue.runtime-with-vapor.esm-browser.js | AI (source-diff): Minified distribution bundle with copyright header and standard Vue.js utility code; expected for production builds. | ai | |
| provenance | publisher-changed | AI (provenance): Transition from yyx990803 to GitHub Actions is documented CI/CD automation; legitimate maintainer workflow for Vue. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() is used in Vue's template compiler for expression validation — a well-documented, intentional design pattern, not a security risk for this package. | ai | |
| provenance | no-provenance | AI (provenance): Vue predates Sigstore provenance workflows; absence of attestation is not a risk signal for this well-established package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Vue is an actively maintained major framework; team maintainer additions are expected and consistent with the official vuejs org's practices. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): Added deps (@vue/compiler-sfc, @vue/server-renderer) are official first-party Vue sub-packages by the same maintainer, not third-party additions. | ai | |
| dependencies | unvetted-dep:@vue/compiler-sfc | AI (dependencies): @vue/compiler-sfc is a first-party Vue.js monorepo package; it will always be a dependency of vue and is not a real risk. | ai | |
| typosquat | typosquat.levenshtein:vite | AI (typosquat): 'vue' is the canonical Vue.js package with 11M+ weekly downloads; not a typosquat of vite. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): 'vue' is the canonical Vue.js package; not a typosquat of yup. | ai |
Versions (showing 51 of 229)
| Version | Deps | Published |
|---|---|---|
| 3.5.35 | 5 / 0 | |
| 3.5.34 | 5 / 0 | |
| 3.5.33 | 5 / 0 | |
| 3.5.32 | 5 / 0 | |
| 3.5.31 | 5 / 0 | |
| 3.5.30 | 5 / 0 | |
| 3.5.29 | 5 / 0 | |
| 3.5.28 | 5 / 0 | |
| 3.5.27 | 5 / 0 | |
| 3.5.26 | 5 / 0 | |
| 3.5.25 | 5 / 0 | |
| 3.5.24 | 5 / 0 | |
| 3.5.23 | 5 / 0 | |
| 3.5.22 | 5 / 0 | |
| 3.5.21 | 5 / 0 | |
| 3.5.20 | 5 / 0 | |
| 3.5.19 | 5 / 0 | |
| 3.5.18 | 5 / 0 | |
| 3.5.17 | 5 / 0 | |
| 3.5.16 | 5 / 0 | |
| 3.5.15 | 5 / 0 | |
| 3.5.14 | 5 / 0 | |
| 3.5.13 | 5 / 0 | |
| 3.5.12 | 5 / 0 | |
| 3.5.11 | 5 / 0 | |
| 3.5.10 | 5 / 0 | |
| 3.5.9 | 5 / 0 | |
| 3.5.8 | 5 / 0 | |
| 3.5.7 | 5 / 0 | |
| 3.5.6 | 5 / 0 | |
| 3.5.5 | 5 / 0 | |
| 3.5.4 | 5 / 0 | |
| 3.5.3 | 5 / 0 | |
| 3.5.2 | 5 / 0 | |
| 3.5.1 | 5 / 0 | |
| 3.5.0 | 5 / 0 | |
| 3.4.38 | 5 / 0 | |
| 3.4.37 | 5 / 0 | |
| 3.4.36 | 5 / 0 | |
| 3.4.35 | 5 / 0 | |
| 3.4.34 | 5 / 0 | |
| 3.4.33 | 5 / 0 | |
| 3.4.32 | 5 / 0 | |
| 3.4.31 | 5 / 0 | |
| 3.4.30 | 5 / 0 | |
| 3.4.29 | 5 / 0 | |
| 3.4.28 | 5 / 0 | |
| 3.4.27 | 5 / 0 | |
| 3.4.26 | 5 / 0 | |
| 3.4.25 | 5 / 0 | |
| 3.4.23 | 5 / 0 |
v3.5.35
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.34
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.33
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.32
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.31
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.30
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.29
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.28
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.27
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.26
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.25
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.24
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.23
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.22
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-25. This could indicate a legitimate maintainer transition or an account compromise.
v3.5.21
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-02. This could indicate a legitimate maintainer transition or an account compromise.
v3.5.20
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-08-25. This could indicate a legitimate maintainer transition or an account compromise.
v3.5.19
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-08-21. This could indicate a legitimate maintainer transition or an account compromise.
v3.5.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.16
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.12
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: yyx990803.
v3.5.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.8
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: yyx990803.
v3.5.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.4.38
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.4.37
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: yyx990803.
v3.4.36
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.4.35
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.34
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.33
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.4.32
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.4.31
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.4.30
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.4.29
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.28
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.