@nuxt/webpack-builder — Greenflagged

Webpack bundler for Nuxt

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

nuxtbot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Nuxt monorepo publishes via GitHub Actions CI with SLSA attestation; this is the expected publisher going forward.	ai	2026/05/30
maintainer-change	maintainer-removed	AI (maintainer-change): Maintainer list change reflects CI-based publishing model for the Nuxt monorepo, not a takeover.	ai	2026/05/30
source-diff	obfuscated-file:dist/_chunks/libs/@vue/compiler-dom.d.mts	AI (source-diff): Auto-generated TypeScript declaration rollup; long lines are expected in bundled .d.mts files.	ai	2026/05/18
source-diff	obfuscated-file:dist/_chunks/libs/@babel/parser.d.mts	AI (source-diff): Auto-generated TypeScript declaration rollup; long lines are expected in bundled .d.mts files.	ai	2026/05/18
source-diff	obfuscated-file:dist/_chunks/libs/@vue/compiler-core.d.mts	AI (source-diff): Auto-generated TypeScript declaration rollup; long lines are expected in bundled .d.mts files.	ai	2026/05/18
source-diff	large-new-source-files	AI (source-diff): New files are type declaration rollups from dependency version bump, not injected code.	ai	2026/05/18
source-diff	source-size-tripled	AI (source-diff): Size increase explained by bundled type declaration files from @vue/compiler-sfc 3.5.27 upgrade.	ai	2026/05/18
source-diff	net-exec-file:dist/_chunks/libs/@vue/compiler-core.d.mts	AI (source-diff): Declaration file only; no runtime network or exec calls — false positive from type-level imports.	ai	2026/05/18
phantom-deps	phantom-dep:postcss-import	AI (phantom-deps): PostCSS plugin referenced via config, not direct import.	ai	2026/05/03
phantom-deps	phantom-dep:postcss-loader	AI (phantom-deps): Webpack loader referenced via config string, not direct import.	ai	2026/05/03
phantom-deps	phantom-dep:cssnano	AI (phantom-deps): Webpack builder; loaders/plugins referenced via config strings, not direct imports. Stable FP for this package.	ai	2026/05/03
bogus-package	bogus-package	AI (bogus-package): Auto-generated monorepo package; README and metadata patterns are typical for Nuxt sub-packages.	ai	2026/05/03
phantom-deps	phantom-dep:pug-plain-loader	AI (phantom-deps): Webpack loader referenced via config string, not direct import.	ai	2026/05/03
phantom-deps	phantom-dep:postcss	AI (phantom-deps): Same pattern — config-referenced dependency, not directly imported.	ai	2026/05/03
phantom-deps	phantom-dep:css-loader	AI (phantom-deps): Webpack loader referenced via config string, not direct import.	ai	2026/05/03
phantom-deps	phantom-dep:tinyglobby	AI (phantom-deps): Utility dep used indirectly; stable FP for this webpack builder package.	ai	2026/05/03
phantom-deps	phantom-dep:url-loader	AI (phantom-deps): Webpack loader referenced via config string, not direct import.	ai	2026/05/03
phantom-deps	phantom-dep:file-loader	AI (phantom-deps): Webpack loader referenced via config string, not direct import.	ai	2026/05/03
phantom-deps	phantom-dep:postcss-url	AI (phantom-deps): PostCSS plugin referenced via config, not direct import.	ai	2026/05/03
phantom-deps	phantom-dep:autoprefixer	AI (phantom-deps): PostCSS plugin referenced via config, not direct import.	ai	2026/05/03

Versions (showing 26 of 26)

Version	Deps	Published
4.4.6	42 / 9	2026-05-18
4.4.5	42 / 9	2026-05-10
4.4.4	42 / 9	2026-04-29
4.4.2	43 / 9	2026-03-12
4.3.1	43 / 9	2026-02-07
4.3.0	43 / 9	2026-01-22
4.2.2	41 / 7	2025-12-09
4.2.1	41 / 7	2025-11-06
4.2.0	41 / 7	2025-10-25
4.1.3	40 / 7	2025-10-06
4.1.2	40 / 7	2025-09-12
4.1.1	40 / 7	2025-09-05
4.1.0	40 / 7	2025-09-02
4.0.3	40 / 7	2025-08-05
4.0.2	40 / 7	2025-07-29
4.0.1	40 / 7	2025-07-21
4.0.0	40 / 7	2025-07-15
3.21.7	41 / 10	2026-06-02
3.21.6	41 / 10	2026-05-18
3.21.5	41 / 10	2026-05-10
3.21.4	41 / 10	2026-04-29
3.21.2	42 / 10	2026-03-12
3.21.1	42 / 10	2026-02-07
3.21.0	42 / 10	2026-01-22
3.20.2	40 / 8	2025-12-09
3.20.1	40 / 8	2025-11-06

v4.4.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.4.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.4.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.4.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.3.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.2.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.2.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.2.0

2 findings

HIGH Publisher changed: danielroe → GitHub Actions (on 2025-10-25) provenance

This version was published by a different npm account than previous versions on 2025-10-25. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.3

2 findings

HIGH Publisher changed: danielroe → GitHub Actions (on 2025-10-06) provenance

This version was published by a different npm account than previous versions on 2025-10-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.2

2 findings

HIGH Publisher changed: danielroe → GitHub Actions (on 2025-09-12) provenance

This version was published by a different npm account than previous versions on 2025-09-12. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.1

2 findings

HIGH Publisher changed: danielroe → GitHub Actions (on 2025-09-05) provenance

This version was published by a different npm account than previous versions on 2025-09-05. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.0

2 findings

HIGH Publisher changed: danielroe → GitHub Actions (on 2025-09-02) provenance

This version was published by a different npm account than previous versions on 2025-09-02. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.21.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.21.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.21.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.21.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.21.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.21.1

5 findings

HIGH New obfuscated file: dist/_chunks/libs/@vue/compiler-core.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/_chunks/libs/@vue/compiler-core.d.mts source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/_chunks/libs/@vue/compiler-dom.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/libs/@babel/parser.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.21.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.20.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.20.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.