@arcgis/api-extractor
**No Esri Technical Support included.**
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/worker-DDNcHxL0.js | AI (source-diff): Vite/Rollup bundle with readable imports; not obfuscated. Stable for this package. | ai | |
| source-diff | obfuscated-file:dist/worker-CkGRjK6Y.js | AI (source-diff): Hash-suffixed Vite/Rollup bundle; readable ESM imports, no obfuscation or malicious payload. | ai | |
| source-diff | obfuscated-file:dist/worker-B2dTvZc5.js | AI (source-diff): Vite/Rollup bundle with hashed filename; imports are readable and reference known @arcgis/* scoped packages. Minification is expected for this build tool. | ai | |
| source-diff | obfuscated-file:dist/worker-ClDNnLUL.js | AI (source-diff): Vite/Rollup bundled output with hashed filename; readable imports and logic confirm it is minified build artifact, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/worker-3dV1pb6B.js | AI (source-diff): Bundled/minified build output with readable imports; standard for this package's dist. | ai | |
| source-diff | obfuscated-file:dist/worker-BV78pJZn.js | AI (source-diff): Bundled build output with readable imports; not obfuscation. Stable for this package. | ai | |
| source-diff | obfuscated-file:dist/worker-DFheWxId.js | AI (source-diff): Vite-bundled output with hashed filename; sample shows readable API extractor logic, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/worker-ClSLcZoJ.js | AI (source-diff): Vite/Rollup bundle with hashed filename; readable imports confirm legitimate @arcgis tooling code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/worker-BAxkcGa7.js | AI (source-diff): Vite/Rollup bundle output with hashed filename; code sample shows normal ESM imports, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/worker-C7OMd603.js | AI (source-diff): Vite/Rollup build chunk with hashed filename; long lines are minified but readable ESM, no obfuscation or malicious payload. | ai | |
| source-diff | obfuscated-file:dist/worker-BEZQrqlM.js | AI (source-diff): Vite/Rollup bundle with hashed filename; readable imports, no obfuscation — standard build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/worker-BYoX-cfx.js | AI (source-diff): Vite-bundled ESM worker with hashed filename; long lines are minified but imports are plaintext and benign. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal tooling package in the @arcgis monorepo; sparse metadata is a consistent pattern across the suite, not a malice indicator. | ai | |
| source-diff | obfuscated-file:dist/worker-CZACER9V.js | AI (source-diff): Vite/Rollup bundle with hashed filename; imports are readable ESM, no obfuscation or payload. | ai | |
| source-diff | obfuscated-file:dist/worker-OBhXOSAV.js | AI (source-diff): Vite/Rollup bundle with hash-named output; sample shows readable ESM imports, not obfuscation. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a declared runtime dependency; implicit usage is expected. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): commander is declared and used; config-file reference is expected for CLI tools. | ai |
Versions (showing 22 of 22)
| Version | Deps | Published |
|---|---|---|
| 5.0.19 | 6 / 0 | |
| 5.0.18 | 6 / 0 | |
| 5.0.17 | 6 / 0 | |
| 5.0.16 | 6 / 0 | |
| 5.0.14 | 6 / 0 | |
| 5.0.13 | 6 / 0 | |
| 5.0.11 | 6 / 0 | |
| 5.0.10 | 6 / 0 | |
| 5.0.9 | 6 / 0 | |
| 5.0.8 | 6 / 0 | |
| 5.0.7 | 6 / 0 | |
| 5.0.6 | 6 / 0 | |
| 5.0.5 | 6 / 0 | |
| 5.0.4 | 6 / 0 | |
| 5.0.3 | 6 / 0 | |
| 5.0.2 | 6 / 0 | |
| 5.0.1 | 6 / 0 | |
| 5.0.0 | 6 / 0 | |
| 4.34.9 | 4 / 0 | |
| 4.34.8 | 4 / 0 | |
| 4.34.7 | 4 / 0 | |
| 4.32.16 | 4 / 0 |
v5.0.19
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.14
3 findingsThis version was published by a different npm account than previous versions on 2026-03-25. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.13
3 findingsThis version was published by a different npm account than previous versions on 2026-03-20. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.11
3 findingsThis version was published by a different npm account than previous versions on 2026-03-17. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.10
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.9
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.8
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.7
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.5
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.34.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.34.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.34.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.32.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.