@vercel/build-utils
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Vercel migrated release automation from vercel-release-bot to GitHub Actions with SLSA provenance attestation. This is a legitimate CI/CD pipeline change for the official Vercel monorepo. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): matt.straka is a Vercel team member; addition consistent with internal team management of the official Vercel monorepo package. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Package has 422 versions and is part of the actively maintained Vercel monorepo. Dormancy flag reflects a cadence gap, not actual abandonment. | ai | |
| source-diff | encoded-string-file:dist/index.js | AI (source-diff): The encoded string is a base64-encoded WebAssembly binary for es-module-lexer, a listed dependency. This is a standard and legitimate pattern for bundling WASM parsers in JS build tools. | ai | |
| phantom-deps | phantom-dep:es-module-lexer | AI (phantom-deps): es-module-lexer is a legitimate declared runtime dep in this build utility; phantom-dep flag reflects indirect/config usage, not a security concern. | ai | |
| phantom-deps | phantom-dep:cjs-module-lexer | AI (phantom-deps): cjs-module-lexer is a legitimate declared runtime dep in this build utility; phantom-dep flag reflects indirect/config usage, not a security concern. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Monorepo package from Vercel org; missing description is a cosmetic issue, not a security signal for this well-established package. | ai |
Versions (showing 91 of 91)
| Version | Deps | Published |
|---|---|---|
| 13.33.0 | 3 / 41 | |
| 13.32.3 | 3 / 41 | |
| 13.32.2 | 3 / 41 | |
| 13.32.1 | 3 / 41 | |
| 13.32.0 | 3 / 41 | |
| 13.31.1 | 3 / 41 | |
| 13.31.0 | 3 / 41 | |
| 13.30.0 | 3 / 41 | |
| 13.29.1 | 3 / 41 | |
| 13.29.0 | 3 / 41 | |
| 13.28.0 | 3 / 41 | |
| 13.27.2 | 3 / 41 | |
| 13.27.1 | 3 / 41 | |
| 13.27.0 | 3 / 41 | |
| 13.26.6 | 3 / 41 | |
| 13.26.5 | 3 / 41 | |
| 13.26.4 | 3 / 41 | |
| 13.26.3 | 3 / 41 | |
| 13.26.2 | 3 / 41 | |
| 13.26.1 | 3 / 41 | |
| 13.26.0 | 3 / 41 | |
| 13.25.0 | 3 / 41 | |
| 13.24.0 | 3 / 41 | |
| 13.23.0 | 3 / 41 | |
| 13.22.1 | 3 / 39 | |
| 13.22.0 | 3 / 39 | |
| 13.21.0 | 3 / 41 | |
| 13.20.0 | 3 / 42 | |
| 13.19.1 | 3 / 42 | |
| 13.19.0 | 3 / 42 | |
| 13.18.0 | 3 / 42 | |
| 13.17.1 | 3 / 42 | |
| 13.17.0 | 3 / 42 | |
| 13.16.0 | 3 / 42 | |
| 13.15.0 | 3 / 40 | |
| 13.14.2 | 3 / 40 | |
| 13.14.1 | 3 / 40 | |
| 13.14.0 | 3 / 40 | |
| 13.13.0 | 3 / 40 | |
| 13.12.2 | 3 / 40 | |
| 13.12.1 | 3 / 38 | |
| 13.12.0 | 3 / 38 | |
| 13.11.0 | 3 / 38 | |
| 13.10.0 | 1 / 38 | |
| 13.8.2 | 1 / 38 | |
| 13.8.1 | 1 / 38 | |
| 13.8.0 | 1 / 38 | |
| 13.7.0 | 1 / 38 | |
| 13.6.3 | 1 / 38 | |
| 13.6.2 | 1 / 38 | |
| 13.6.1 | 1 / 38 | |
| 13.6.0 | 1 / 38 | |
| 13.5.0 | 1 / 38 | |
| 13.4.3 | 1 / 38 | |
| 13.4.2 | 1 / 38 | |
| 13.4.1 | 1 / 38 | |
| 13.4.0 | 1 / 38 | |
| 13.3.5 | 1 / 38 | |
| 13.3.4 | 1 / 38 | |
| 13.3.3 | 1 / 38 | |
| 13.3.2 | 1 / 38 | |
| 13.3.1 | 1 / 38 | |
| 13.3.0 | 0 / 38 | |
| 13.2.17 | 0 / 38 | |
| 13.2.16 | 0 / 38 | |
| 13.2.15 | 0 / 38 | |
| 13.2.14 | 0 / 38 | |
| 13.2.13 | 0 / 38 | |
| 13.2.12 | 0 / 38 | |
| 13.2.11 | 0 / 38 | |
| 13.2.10 | 0 / 38 | |
| 13.2.9 | 0 / 38 | |
| 13.2.8 | 0 / 38 | |
| 13.2.7 | 0 / 38 | |
| 13.2.6 | 0 / 38 | |
| 13.2.5 | 0 / 38 | |
| 13.2.4 | 0 / 38 | |
| 13.2.3 | 0 / 38 | |
| 13.2.2 | 0 / 38 | |
| 13.2.1 | 0 / 38 | |
| 13.2.0 | 0 / 38 | |
| 13.1.2 | 0 / 38 | |
| 13.1.1 | 0 / 38 | |
| 13.1.0 | 0 / 38 | |
| 13.0.2 | 0 / 38 | |
| 13.0.1 | 0 / 38 | |
| 13.0.0 | 0 / 38 | |
| 12.2.4 | 0 / 38 | |
| 12.2.3 | 0 / 38 | |
| 12.2.2 | 0 / 38 | |
| 12.2.1 | 0 / 38 |
v13.33.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.32.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.32.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.32.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.32.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.31.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.31.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.30.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.29.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.29.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.28.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.27.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.27.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.27.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.26.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.26.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.26.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.26.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.26.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.26.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.