@ai-sdk/gateway
The Gateway provider for the [AI SDK](https://ai-sdk.dev/docs) allows the use of a wide variety of AI models and providers.
100
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
vercel-release-botmatheussmatt.straka
Keywords
ai
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Vercel migrated from vercel-release-bot to GitHub Actions; both are CI publishers for the same org. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() usage is in a test file (gateway-provider.test.ts) to inspect internal model config — a standard testing pattern, not obfuscation in production code. | ai | |
| source-diff | obfuscated-file:dist/index.d.mts | AI (source-diff): TypeScript declaration file with long union type of model ID string literals, not obfuscation. Generated by tsup build from source. | ai | |
| dependencies | unvetted-dep:@ai-sdk/provider-utils | AI (dependencies): @ai-sdk/provider-utils is a sibling package in the Vercel AI SDK monorepo, published by the same trusted vercel-release-bot. Not a third-party risk. | ai | |
| provenance | no-provenance | AI (provenance): Vercel's release bot publishes without Sigstore provenance consistently; publisher trust and download volume provide sufficient confidence. | ai |