← Home

vercel

npm Repository Homepage
22
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

matheussrauchgmatt.strakavercel-release-botzeit-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff net-exec-file:dist/chunks/chunk-GIJMTTDG.js AI (source-diff): Bundled CLI chunk; network + exec is inherent to a deployment CLI tool. ai
source-diff obfuscated-file:dist/chunks/exec-JSOL4CYJ.js AI (source-diff): Bundled output with long lines; not obfuscated, just minified build artifact. ai
source-diff net-exec-file:dist/chunks/exec-JSOL4CYJ.js AI (source-diff): Bundled CLI chunk wrapping which/execa; expected for CLI tool. ai
source-diff net-exec-file:dist/chunks/chunk-KFVMKDQD.js AI (source-diff): Bundled CLI chunk; network+exec is expected for a deployment CLI tool. ai
source-diff net-exec-file:dist/chunks/chunk-QAHIBMRJ.js AI (source-diff): Bundled CLI chunk with expected network+exec patterns; stable FP for this package. ai
source-diff net-exec-file:dist/chunks/chunk-CWRL2B64.js AI (source-diff): Bundled CLI chunk with network+exec is expected for the Vercel CLI tool. ai
source-diff net-exec-file:dist/chunks/chunk-V2EPUZ7C.js AI (source-diff): Bundled CLI chunk with network+exec is normal for the Vercel CLI tool. ai
source-diff net-exec-file:dist/chunks/chunk-W5RSXTBT.js AI (source-diff): Bundled CLI chunk with expected network+exec patterns for a deployment CLI tool. ai
source-diff net-exec-file:dist/chunks/chunk-PKUYGVBJ.js AI (source-diff): Bundled CLI chunk with expected network+exec patterns; stable for vercel CLI. ai
source-diff large-new-source-files AI (source-diff): Chunk filenames rotate on each build; large bundles are normal for this CLI. ai
source-diff net-exec-file:dist/chunks/chunk-RNIZUKES.js AI (source-diff): Bundled CLI chunk with network+exec is expected for Vercel CLI; not malicious. ai
source-diff net-exec-file:dist/chunks/chunk-L3JT6XDK.js AI (source-diff): Bundled CLI chunk with standard network+exec patterns; expected for a deployment CLI tool. ai
maintainer-change maintainer-added AI (maintainer-change): matheuss is a known Vercel team member; stable for this package. ai
phantom-deps phantom-dep:@vercel/remix-builder AI (phantom-deps): Framework adapter loaded by convention. ai
phantom-deps phantom-dep:@vercel/express AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. ai
phantom-deps phantom-dep:@vercel/fastify AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. ai
phantom-deps phantom-dep:@vercel/redwood AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. ai
typosquat typosquat.levenshtein:parcel AI (typosquat): vercel is the canonical Vercel CLI brand, not a typosquat of parcel. ai
phantom-deps phantom-dep:@vercel/hydrogen AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. ai
phantom-deps phantom-dep:@vercel/static-build AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. ai
phantom-deps phantom-dep:@vercel/backends AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. ai
phantom-deps phantom-dep:esbuild AI (phantom-deps): esbuild is a known runtime/binary implicit dependency for this CLI build tool. ai
phantom-deps phantom-dep:smol-toml AI (phantom-deps): Referenced in config files by convention; stable false positive for this package. ai
phantom-deps phantom-dep:@vercel/go AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. ai
phantom-deps phantom-dep:@vercel/h3 AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. ai
phantom-deps phantom-dep:@vercel/koa AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. ai
phantom-deps phantom-dep:@vercel/hono AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. ai
phantom-deps phantom-dep:@vercel/next AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. ai
phantom-deps phantom-dep:@vercel/node AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. ai
phantom-deps phantom-dep:@vercel/ruby AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. ai
phantom-deps phantom-dep:@vercel/rust AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. ai
phantom-deps phantom-dep:@vercel/elysia AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. ai
phantom-deps phantom-dep:@vercel/nestjs AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. ai
phantom-deps phantom-dep:@vercel/python AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. ai

Versions (showing 22 of 22)

Version Deps Published
54.8.0 34 / 128
54.7.1 33 / 128
54.7.0 33 / 128
54.6.1 33 / 128
54.6.0 33 / 128
54.5.1 33 / 128
54.5.0 33 / 128
54.4.1 33 / 128
54.4.0 33 / 128
54.3.0 33 / 128
54.2.0 33 / 128
54.1.0 33 / 128
54.0.0 33 / 127
53.4.0 33 / 127
53.3.2 33 / 127
53.3.1 33 / 127
53.3.0 33 / 127
53.2.0 31 / 127
53.1.0 31 / 132
53.0.1 31 / 132
52.2.1 31 / 133
52.2.0 32 / 133

v54.8.0

4 findings
HIGH New file with network + code execution: dist/chunks/chunk-KFVMKDQD.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/chunks/exec-JSOL4CYJ.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/chunks/exec-JSOL4CYJ.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v54.7.1

2 findings
HIGH New file with network + code execution: dist/chunks/chunk-GIJMTTDG.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v54.7.0

2 findings
HIGH New file with network + code execution: dist/chunks/chunk-QAHIBMRJ.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v54.6.1

2 findings
HIGH New file with network + code execution: dist/chunks/chunk-V2EPUZ7C.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v54.6.0

2 findings
HIGH New file with network + code execution: dist/chunks/chunk-PKUYGVBJ.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v54.5.1

2 findings
HIGH New file with network + code execution: dist/chunks/chunk-CWRL2B64.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v54.5.0

2 findings
HIGH New file with network + code execution: dist/chunks/chunk-W5RSXTBT.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v54.4.1

2 findings
HIGH New file with network + code execution: dist/chunks/chunk-L3JT6XDK.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v54.4.0

2 findings
HIGH New file with network + code execution: dist/chunks/chunk-L3JT6XDK.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v54.3.0

2 findings
HIGH New file with network + code execution: dist/chunks/chunk-RNIZUKES.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v54.2.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v54.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v54.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v53.4.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v53.3.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v53.3.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v53.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v53.2.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v53.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v53.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v52.2.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v52.2.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.