vue-component-compiler — Greenflagged

Compiler for single file Vue components

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

yyx990803

Keywords

vuecomponent

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): Package is 11+ years old, published by Evan You (Vue.js creator) under the vuejs org. Provenance attestation predates this package's era; absence is expected and not a risk signal.	ai	2026/04/24
dependencies	unvetted-dep:html-minifier	AI (dependencies): html-minifier is a well-known, established package used legitimately for HTML minification in this Vue component compiler. No malicious signal.	ai	2026/04/24
bogus-package	bogus-package	AI (bogus-package): yyx990803 is Evan You, creator of Vue.js. The SPAM-FLAGGED signal is a false positive for this well-known, legitimate publisher under the official vuejs GitHub org.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require loads user's own vue.config.js from cwd — intentional build-tool configuration pattern, not arbitrary code injection.	ai	2026/04/23