nuxt
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:estree-walker | AI (phantom-deps): estree-walker is a build toolchain dep; stable false positive for nuxt. | ai | |
| phantom-deps | phantom-dep:oxc-parser | AI (phantom-deps): oxc-parser is a build toolchain dep used via config; stable false positive for nuxt. | ai | |
| phantom-deps | phantom-dep:esbuild | AI (phantom-deps): esbuild is a known build-time/runtime binary dep for nuxt; phantom-dep false positive. | ai | |
| phantom-deps | phantom-dep:vue-devtools-stub | AI (phantom-deps): vue-devtools-stub is a nuxt convention dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:mocked-exports | AI (phantom-deps): mocked-exports is a nuxt-internal convention dep; stable false positive. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Nuxt is a major framework with CI/CD-based releases; gap in publishing cadence is not indicative of takeover given SLSA provenance and no material changes. | ai | |
| dependencies | unvetted-dep:unplugin-vue-router | AI (dependencies): unplugin-vue-router is a well-known Vue Router plugin maintained by the Vue/Nuxt ecosystem. Expected dependency for Nuxt's file-based routing. | ai | |
| phantom-deps | phantom-dep:@nuxt/nitro-server | AI (phantom-deps): Framework-scoped package loaded by Nuxt convention, not direct import. Consistent with Nuxt's documented architecture for server/builder packages. | ai | |
| dependencies | unvetted-dep:@nuxt/schema | AI (dependencies): @nuxt/schema is a first-party Nuxt monorepo package, always co-versioned with nuxt itself. Not a security concern. | ai | |
| dependencies | unvetted-dep:@nuxt/devtools | AI (dependencies): @nuxt/devtools is an official Nuxt ecosystem package maintained by the Nuxt team. Expected dependency for the framework. | ai | |
| phantom-deps | phantom-dep:@nuxt/devtools | AI (phantom-deps): Framework-scoped package loaded by convention in Nuxt; not directly imported by design. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@dxup/nuxt | AI (phantom-deps): Referenced in config files as a Nuxt integration/plugin; not directly imported by design. Consistent with Nuxt ecosystem patterns. | ai | |
| phantom-deps | phantom-dep:@nuxt/vite-builder | AI (phantom-deps): Framework-scoped package loaded by convention in Nuxt; not directly imported by design. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@nuxt/telemetry | AI (phantom-deps): Framework-scoped package loaded by convention in Nuxt; not directly imported by design. Stable pattern for this package. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 4.4.8 | 56 / 12 | |
| 4.4.7 | 56 / 12 | |
| 4.4.6 | 55 / 12 | |
| 4.3.0 | 57 / 11 | |
| 3.21.8 | 57 / 11 | |
| 3.21.7 | 57 / 11 | |
| 3.21.6 | 57 / 11 | |
| 3.21.1 | 57 / 11 | |
| 3.20.1 | 57 / 11 |
v4.4.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.4.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.4.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.21.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.21.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.21.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.