All @vue/compiler-core versions
@vue/compiler-core @3.5.34
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
40
Risk Score
MIT
License
No
Install Scripts
5
Dependencies
1
Dev Dependencies
141.0 KB
Package Size
Published
@vue/compiler-core
Maintainers
yyx990803
Keywords
vue
Dependencies (5)
| Package | Constraint | Registry Status |
|---|---|---|
| entities | ^7.0.1 | auto_approved |
| @vue/shared | 3.5.34 | auto_approved |
| @babel/parser | ^7.29.3 | auto_approved |
| estree-walker | ^2.0.2 | auto_approved |
| source-map-js | ^1.2.1 | auto_approved |
Dev Dependencies (1)
| Package | Constraint | Registry Status |
|---|---|---|
| @babel/types | ^7.29.0 | auto_approved |
Transitive Dependency Tree
8 transitive deps
max depth 3
├─
@babel/parser
^7.29.3
→ 7.29.3
├─
@vue/shared
3.5.34
→ 3.5.34
├─
entities
^7.0.1
→ 7.0.1
├─
estree-walker
^2.0.2
→ 2.0.2
├─
source-map-js
^1.2.1
→ 1.2.1
├─
@babel/types
^7.29.0
→ 7.29.0
├─
@babel/helper-string-parser
^7.27.1
→ 7.27.1
├─
@babel/helper-validator-identifier
^7.28.5
→ 7.28.5
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
bogus-package |
bogus-package | reject | AI | AI (bogus-package): Inflated semver on first publish, flagged maintainer, and zero ecosystem presence are disqualifying for a package impersonating a major Vue.js core library. |
SAST Findings (2)
CRITICAL
Low-value / spam package indicators (2 signals, score 3)
bogus-package
[Always reject] Matched 2 signal(s), weighted score 3: • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_DESC_MATCHES_NAME] Description is empty or just restates the package name.
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
Review Summary
Risk score: 40. Findings: 1 critical (+40), 1 info (+0).
Published to npm: