← Home

@vercel/build-utils

51
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

matheussmatt.strakavercel-release-botzeit-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Vercel migrated release automation from vercel-release-bot to GitHub Actions with SLSA provenance attestation. This is a legitimate CI/CD pipeline change for the official Vercel monorepo. ai
maintainer-change maintainer-added AI (maintainer-change): matt.straka is a Vercel team member; addition consistent with internal team management of the official Vercel monorepo package. ai
publish-pattern dormant-publish AI (publish-pattern): Package has 422 versions and is part of the actively maintained Vercel monorepo. Dormancy flag reflects a cadence gap, not actual abandonment. ai
source-diff encoded-string-file:dist/index.js AI (source-diff): The encoded string is a base64-encoded WebAssembly binary for es-module-lexer, a listed dependency. This is a standard and legitimate pattern for bundling WASM parsers in JS build tools. ai
phantom-deps phantom-dep:es-module-lexer AI (phantom-deps): es-module-lexer is a legitimate declared runtime dep in this build utility; phantom-dep flag reflects indirect/config usage, not a security concern. ai
phantom-deps phantom-dep:cjs-module-lexer AI (phantom-deps): cjs-module-lexer is a legitimate declared runtime dep in this build utility; phantom-dep flag reflects indirect/config usage, not a security concern. ai
npm-metadata no-description AI (npm-metadata): Monorepo package from Vercel org; missing description is a cosmetic issue, not a security signal for this well-established package. ai

Versions (showing 51 of 91)

View all versions
Version Deps Published
13.33.0 3 / 41
13.32.3 3 / 41
13.32.2 3 / 41
13.32.1 3 / 41
13.32.0 3 / 41
13.31.1 3 / 41
13.31.0 3 / 41
13.30.0 3 / 41
13.29.1 3 / 41
13.29.0 3 / 41
13.28.0 3 / 41
13.27.2 3 / 41
13.27.1 3 / 41
13.27.0 3 / 41
13.26.6 3 / 41
13.26.5 3 / 41
13.26.4 3 / 41
13.26.3 3 / 41
13.26.2 3 / 41
13.26.1 3 / 41
13.26.0 3 / 41
13.25.0 3 / 41
13.24.0 3 / 41
13.23.0 3 / 41
13.22.1 3 / 39
13.22.0 3 / 39
13.21.0 3 / 41
13.20.0 3 / 42
13.19.1 3 / 42
13.19.0 3 / 42
13.18.0 3 / 42
13.17.1 3 / 42
13.17.0 3 / 42
13.16.0 3 / 42
13.15.0 3 / 40
13.14.2 3 / 40
13.14.1 3 / 40
13.14.0 3 / 40
13.13.0 3 / 40
13.12.2 3 / 40
13.12.1 3 / 38
13.12.0 3 / 38
13.11.0 3 / 38
13.10.0 1 / 38
13.8.2 1 / 38
13.8.1 1 / 38
13.8.0 1 / 38
13.7.0 1 / 38
13.6.3 1 / 38
13.6.2 1 / 38
13.6.1 1 / 38

v13.33.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.32.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.32.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.32.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.32.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.31.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.31.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.30.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.29.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.29.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.28.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.27.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.27.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.27.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.26.6

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.26.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.26.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.26.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.26.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.26.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.