← Home

@aahoughton/oav-core

npm Repository Homepage

HTTP-aware OpenAPI request/response validator with a JSON Schema codegen compiler. Zero runtime dependencies; install @aahoughton/oav for the batteries-included experience (YAML readers + CLI).

7
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

aahoughton

Keywords

clihttpjson-schemajson-schema-2020-12openapiopenapi-3.0openapi-3.1openapi-3.2openapi3schemavalidationvalidator

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff net-exec-file:dist/chunk-TR7B53OF.cjs AI (source-diff): Code generation for JSON Schema validation; URL strings are vocabulary identifiers, not network calls. Stable pattern for this package. ai
source-diff net-exec-file:dist/chunk-FFJS7MUM.js AI (source-diff): ESM equivalent of the same codegen pattern; false positive for this schema-compiler package. ai
source-diff net-exec-file:dist/chunk-MMIYWQBD.cjs AI (source-diff): Code generation for JSON Schema validation; ctx.gen.line emits validator code strings, not dynamic eval of remote content. ai
source-diff net-exec-file:dist/chunk-YHW6KGRO.js AI (source-diff): ESM equivalent of the same codegen pattern; no actual network fetch or eval of remote code. ai
source-diff net-exec-file:dist/chunk-A57DO7ZQ.cjs AI (source-diff): Code generation is the library's documented core feature; ctx.gen.line() emits validator code, not malware. ai
source-diff net-exec-file:dist/chunk-AYRRKP4K.js AI (source-diff): Same codegen pattern in ESM chunk; stable false positive for this JSON Schema compiler package. ai
install-scripts install-script:preinstall AI (install-scripts): Standard pnpm-only enforcement guard; only fires inside the monorepo workspace, harmless to downstream consumers. ai

Versions (showing 7 of 7)

Version Deps Published
2.2.0 0 / 9
2.1.0 0 / 9
2.0.0 0 / 9
1.1.2 0 / 9
1.1.1 0 / 9
1.1.0 0 / 9
1.0.0 0 / 9

v2.2.0

3 findings
HIGH New file with network + code execution: dist/chunk-TR7B53OF.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/chunk-FFJS7MUM.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.0

3 findings
HIGH New file with network + code execution: dist/chunk-A57DO7ZQ.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/chunk-AYRRKP4K.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.0

3 findings
HIGH New file with network + code execution: dist/chunk-MMIYWQBD.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/chunk-YHW6KGRO.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.