All @nuxt/kit versions

@nuxt/[email protected] rejected Risk: 100 MIT

@nuxt/kit @4.4.5

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
100
Risk Score
MIT
License
No
Install Scripts
20
Dependencies
11
Dev Dependencies
25.9 KB
Package Size
Published

Toolkit for authoring modules and interacting with Nuxt

Maintainers

nuxtbot

Dependencies (20)

PackageConstraintRegistry Status
c12 ^3.3.4 pending
rc9 ^3.0.1 auto_approved
ufo ^1.6.4 auto_approved
defu ^6.1.7 auto_approved
errx ^0.1.0 auto_approved
jiti ^2.6.1 auto_approved
mlly ^1.8.2 auto_approved
destr ^2.0.5 auto_approved
klona ^2.0.6 auto_approved
ohash ^2.0.11 auto_approved
pathe ^2.0.3 auto_approved
scule ^1.3.0 auto_approved
unctx ^2.5.0 auto_approved
ignore ^7.0.5 auto_approved
semver ^7.7.4 auto_approved
consola ^3.4.2 auto_approved
exsolve ^1.0.8 auto_approved
untyped ^2.0.0 auto_approved
pkg-types ^2.3.1 auto_approved
tinyglobby ^0.2.16 auto_approved

Dev Dependencies (11)

PackageConstraintRegistry Status
vite 7.3.2 auto_approved
nitro 3.0.260311-beta pending
obuild 0.4.34 pending
vitest 4.1.5 pending
webpack 5.106.2 auto_approved
hookable 6.1.1 auto_approved
unimport 6.2.0 auto_approved
nitropack 2.13.4 auto_approved
@nuxt/schema 4.4.5 rejected
@rspack/core 1.7.11 auto_approved
@types/semver 7.7.1 auto_approved

Transitive Dependency Tree

31 transitive deps max depth 3
  ├─ c12 ^3.3.4
  ├─ consola ^3.4.2 → 3.4.2
  ├─ defu ^6.1.7 → 6.1.7
  ├─ destr ^2.0.5 → 2.0.5
  ├─ errx ^0.1.0 → 0.1.0
  ├─ exsolve ^1.0.8 → 1.0.8
  ├─ ignore ^7.0.5 → 7.0.5
  ├─ jiti ^2.6.1 → 2.7.0
  ├─ klona ^2.0.6 → 2.0.6
  ├─ mlly ^1.8.2 → 1.8.2
  ├─ ohash ^2.0.11 → 2.0.11
  ├─ pathe ^2.0.3 → 2.0.3
  ├─ pkg-types ^2.3.1 → 2.3.1
  ├─ rc9 ^3.0.1 → 3.0.1
  ├─ scule ^1.3.0 → 1.3.0
  ├─ semver ^7.7.4 → 7.8.0
  ├─ tinyglobby ^0.2.16 → 0.2.16
  ├─ ufo ^1.6.4 → 1.6.4
  ├─ unctx ^2.5.0 → 2.5.0
├─ untyped ^2.0.0 → 2.0.0
  ├─ acorn ^8.15.0 → 8.16.0
  ├─ acorn ^8.16.0 → 8.16.0
  ├─ citty ^0.1.6
  ├─ confbox ^0.2.4 → 0.2.4
  ├─ defu ^6.1.4 → 6.1.7
  ├─ defu ^6.1.6 → 6.1.7
  ├─ destr ^2.0.5 → 2.0.5
  ├─ estree-walker ^3.0.3 → 3.0.3
  ├─ exsolve ^1.0.8 → 1.0.8
  ├─ fdir ^6.5.0 → 6.5.0
  ├─ jiti ^2.4.2 → 2.6.1
  ├─ knitwork ^1.2.0
  ├─ magic-string ^0.30.21 → 0.30.21
  ├─ pathe ^2.0.3 → 2.0.3
  ├─ picomatch ^4.0.4 → 4.0.4
  ├─ pkg-types ^1.3.1
  ├─ scule ^1.3.0 → 1.3.0
  ├─ ufo ^1.6.3 → 1.6.3
├─ unplugin ^2.3.11
  ├─ @jridgewell/sourcemap-codec ^1.5.5 → 1.5.5
  ├─ @types/estree ^1.0.0 → 1.0.8

Changes from v0.6.4

Dependency Changes

ChangePackageVersion
added c12 ^3.3.4
added errx ^0.1.0
added mlly ^1.8.2
added destr ^2.0.5
added klona ^2.0.6
added ohash ^2.0.11
added pathe ^2.0.3
added ignore ^7.0.5
added semver ^7.7.4
added exsolve ^1.0.8
added pkg-types ^2.3.1
added tinyglobby ^0.2.16
removed upath ^2.0.1
removed dotenv ^10.0.0
removed globby ^11.0.4
removed std-env ^2.3.0
removed hash-sum ^2.0.0
removed create-require ^1.1.1
changed rc9 ^1.2.0 → ^3.0.1
changed ufo ^0.7.5 → ^1.6.4
changed defu ^5.0.0 → ^6.1.7
changed jiti ^1.10.1 → ^2.6.1
changed scule ^0.2.1 → ^1.3.0
changed unctx ^0.0.3 → ^2.5.0
changed consola ^2.15.3 → ^3.4.2
changed untyped ^0.2.5 → ^2.0.0

Script Changes

+ test:attw+ build:stub - prepack

File Changes

3 added 6 removed 2 modified size delta: -274.0 KB

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
bogus-package bogus-package reject AI AI (bogus-package): Maintainer antfu flagged as spam publisher; verdict generalizes to all versions of this package.

SAST Findings (5)

CRITICAL Low-value / spam package indicators (2 signals, score 3) bogus-package

[Always reject] Matched 2 signal(s), weighted score 3: • [S_README_LINKDUMP] README is a link dump (39 URLs) that barely mentions the package — typical of phishing link farms. • [S_NO_KEYWORDS] No keywords declared.

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (danielroe, atinux, pi0, clarkdo) were replaced by new maintainers (nuxtbot). This is a strong signal of a potential package hijack and requires careful review.

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: pi0 → GitHub Actions (on 2026-05-10) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-10. This could indicate a legitimate maintainer transition or an account compromise.

Review Summary

Risk score: 100 (capped from 110). Findings: 1 critical (+40), 2 high (+50), 2 medium (+20), 4 info (+0).

Published to npm: