vike
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/esm/node/vite/shared/loggerNotProd/errorWithCodeSnippet/fixture-errors/errBabelSolid.js | AI (source-diff): ESM variant of the same benign fixture error object. | ai | |
| source-diff | obfuscated-file:dist/cjs/node/vite/shared/loggerNotProd/errorWithCodeSnippet/fixture-errors/errBabelReact.js | AI (source-diff): Long lines are fixture error objects with embedded source code strings, not obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/esm/node/vite/shared/loggerNotProd/errorWithCodeSnippet/fixture-errors/errBabelReact.js | AI (source-diff): Same fixture error object pattern; ESM variant of the same benign file. | ai | |
| source-diff | obfuscated-file:dist/cjs/node/vite/shared/loggerNotProd/errorWithCodeSnippet/fixture-errors/errBabelSolid.js | AI (source-diff): Fixture error object with embedded source code strings; not obfuscation. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Established package with active maintainer; long gap likely reflects development cycle, not account takeover. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @babel/core and @babel/types are well-known, widely-used packages consistent with a build-tool refactor. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 45 new files consistent with a significant feature addition in a large framework; no obfuscation or malware indicators. | ai | |
| typosquat | typosquat.levenshtein:vite | AI (typosquat): Vike is an established framework intentionally named; not a typosquat of vite. | ai |
Versions (showing 29 of 29)
| Version | Deps | Published |
|---|---|---|
| 0.4.258 | 23 / 11 | |
| 0.4.257 | 23 / 11 | |
| 0.4.256 | 17 / 11 | |
| 0.4.255 | 17 / 11 | |
| 0.4.254 | 17 / 11 | |
| 0.4.253 | 18 / 11 | |
| 0.4.252 | 18 / 11 | |
| 0.4.251 | 18 / 11 | |
| 0.4.250 | 18 / 11 | |
| 0.4.249 | 17 / 10 | |
| 0.4.248 | 17 / 10 | |
| 0.4.247 | 17 / 10 | |
| 0.4.246 | 17 / 10 | |
| 0.4.245 | 17 / 10 | |
| 0.4.244 | 17 / 10 | |
| 0.4.243 | 17 / 10 | |
| 0.4.242 | 17 / 10 | |
| 0.4.241 | 17 / 10 | |
| 0.4.240 | 17 / 10 | |
| 0.4.239 | 17 / 10 | |
| 0.4.238 | 17 / 10 | |
| 0.4.237 | 17 / 10 | |
| 0.4.236 | 17 / 10 | |
| 0.4.235 | 17 / 13 | |
| 0.4.234 | 17 / 13 | |
| 0.4.233 | 17 / 13 | |
| 0.4.232 | 17 / 13 | |
| 0.4.231 | 17 / 13 | |
| 0.4.230 | 17 / 13 |
v0.4.257
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.256
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.255
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.254
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.253
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.252
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.251
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.250
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.249
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.248
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.247
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.246
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.245
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.244
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.243
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.242
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.241
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.240
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.239
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.238
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.237
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.236
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.235
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.234
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.233
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.232
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.231
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.230
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.