@vercel/ncc
Simple CLI for compiling a Node.js module into a single file, together with all its dependencies, gcc-style.
38
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
matheussmatt.strakavercel-release-botzeit-bot
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): vercel-release-bot is Vercel's official release automation account with 1524 approved packages. Publisher change from styfle (Vercel employee) to release bot is a legitimate organizational transition. | ai | |
| source-diff | encoded-string-file:dist/ncc/index.js.cache.js | AI (source-diff): Cache files in ncc contain bundled library code (MIME type databases, minified deps). Long encoded strings are expected artifacts of ncc's bundling process, not malicious payloads. | ai | |
| source-diff | encoded-string-file:dist/ncc/loaders/ts-loader.js.cache.js | AI (source-diff): ts-loader cache contains bundled TypeScript compiler internals. Long encoded strings are TypeScript AST/compiler exports, expected for ncc's ts-loader bundle. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Vercel consolidated to vercel-release-bot for publishing. Mass maintainer removal is consistent with organizational automation transition, not a takeover. | ai |
Versions (showing 38 of 38)
| Version | Deps | Published |
|---|---|---|
| 0.43.0 | 0 / 92 | |
| 0.38.4 | 0 / 89 | |
| 0.38.3 | 0 / 89 | |
| 0.38.2 | 0 / 89 | |
| 0.38.1 | 0 / 89 | |
| 0.38.0 | 0 / 89 | |
| 0.37.0 | 0 / 89 | |
| 0.36.1 | 0 / 90 | |
| 0.36.0 | 0 / 91 | |
| 0.34.0 | 0 / 91 | |
| 0.33.4 | 0 / 90 | |
| 0.33.3 | 0 / 90 | |
| 0.33.2 | 0 / 90 | |
| 0.33.1 | 0 / 92 | |
| 0.33.0 | 0 / 92 | |
| 0.32.0 | 0 / 92 | |
| 0.31.1 | 0 / 92 | |
| 0.31.0 | 0 / 92 | |
| 0.30.0 | 0 / 92 | |
| 0.29.2 | 0 / 92 | |
| 0.29.1 | 0 / 92 | |
| 0.29.0 | 0 / 92 | |
| 0.28.6 | 0 / 92 | |
| 0.28.5 | 0 / 92 | |
| 0.28.4 | 0 / 92 | |
| 0.28.3 | 0 / 93 | |
| 0.28.2 | 0 / 93 | |
| 0.28.1 | 0 / 93 | |
| 0.28.0 | 0 / 93 | |
| 0.27.0 | 0 / 93 | |
| 0.26.2 | 0 / 93 | |
| 0.26.1 | 0 / 93 | |
| 0.26.0 | 0 / 93 | |
| 0.25.1 | 0 / 93 | |
| 0.25.0 | 0 / 92 | |
| 0.24.1 | 0 / 91 | |
| 0.24.0 | 0 / 91 | |
| 0.23.0 | 0 / 91 |
v0.43.0
2 findings
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
INFO
Publisher changed: vercel-release-bot → GitHub Actions (on 2026-06-09)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2026-06-09. This could indicate a legitimate maintainer transition or an account compromise.