@directus/api — Greenflagged

Directus is a real-time API and App dashboard for managing SQL database content

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

benhaynesrijkalexgaillard88licitdev

Keywords

directusrealtimedatabasecontentapirestgraphqlappdashboardheadlesscmsmysqlpostgresqlcockroachdbsqliteframeworkvue

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@directus/ai	AI (dependencies): Same-org @directus scoped package; consistent with AI feature additions in this release.	ai	2026/05/30
publish-pattern	dormant-publish	AI (publish-pattern): Active monorepo; version gap reflects prior approved version in registry, not true account dormancy.	ai	2026/05/18
dependencies	unvetted-dep:@braintrust/otel	AI (dependencies): Braintrust is a known AI observability vendor; dep added alongside @directus/ai integration.	ai	2026/05/18
dependencies	unvetted-dep:samlify	AI (dependencies): SAML SSO library; expected for Directus auth integrations.	ai	2026/05/08
dependencies	unvetted-dep:json2csv	AI (dependencies): CSV export utility; consistent with Directus data export features.	ai	2026/05/08
dependencies	unvetted-dep:@tus/utils	AI (dependencies): TUS resumable upload protocol; expected for Directus file uploads.	ai	2026/05/08
dependencies	unvetted-dep:@tus/server	AI (dependencies): TUS resumable upload server; expected for Directus file uploads.	ai	2026/05/08
dependencies	unvetted-dep:exif-reader	AI (dependencies): EXIF metadata reader; consistent with Directus image processing.	ai	2026/05/08
dependencies	unvetted-dep:micromustache	AI (dependencies): Lightweight template engine; used for Directus email/notification templates.	ai	2026/05/08
dependencies	unvetted-dep:@directus/specs	AI (dependencies): First-party Directus package; same org scope.	ai	2026/05/08
dependencies	unvetted-dep:@directus/errors	AI (dependencies): First-party Directus package; same org scope.	ai	2026/05/08
dependencies	unvetted-dep:@directus/schema	AI (dependencies): First-party Directus package; same org scope.	ai	2026/05/08
dependencies	unvetted-dep:@directus/storage	AI (dependencies): First-party Directus package; same org scope.	ai	2026/05/08
dependencies	unvetted-dep:@godaddy/terminus	AI (dependencies): Well-known graceful shutdown library from GoDaddy; stable ecosystem package.	ai	2026/05/08
dependencies	unvetted-dep:@directus/constants	AI (dependencies): First-party Directus package; same org scope.	ai	2026/05/08
dependencies	unvetted-dep:@directus/system-data	AI (dependencies): First-party Directus package; same org scope.	ai	2026/05/08
dependencies	unvetted-dep:@directus/format-title	AI (dependencies): First-party Directus package; same org scope.	ai	2026/05/08
dependencies	unvetted-dep:@authenio/samlify-node-xmllint	AI (dependencies): SAML XML linting companion; expected alongside samlify for auth.	ai	2026/05/08
dependencies	unvetted-dep:@directus/storage-driver-local	AI (dependencies): First-party Directus package; same org scope.	ai	2026/05/08
dependencies	unvetted-dep:icc	AI (dependencies): Legitimate ICC profile parsing library; consistent with Directus image handling.	ai	2026/05/08
dependencies	unvetted-dep:pm2	AI (dependencies): Well-known process manager; used for Directus CLI process management.	ai	2026/05/08
dependencies	unvetted-dep:ldapjs	AI (dependencies): Standard LDAP auth library; expected for Directus SSO/auth features.	ai	2026/05/08
phantom-deps	phantom-dep:tsx	AI (phantom-deps): tsx is a dev/build tool referenced in scripts, not a runtime import.	ai	2026/05/05
phantom-deps	phantom-dep:dotenv	AI (phantom-deps): dotenv used in config/env context, not a direct runtime import.	ai	2026/05/05
phantom-deps	phantom-dep:tsdown	AI (phantom-deps): tsdown is a build tool referenced in build scripts.	ai	2026/05/05
phantom-deps	phantom-dep:openapi3-ts	AI (phantom-deps): openapi3-ts is a type-level dependency used in specs/schema generation.	ai	2026/05/05
phantom-deps	phantom-dep:@directus/extensions-sdk	AI (phantom-deps): Same-org package used as peer/optional dep in extension loading context.	ai	2026/05/05
phantom-deps	phantom-dep:@directus/schema-builder	AI (phantom-deps): Same-org package, stable false positive for this package.	ai	2026/05/05
phantom-deps	phantom-dep:@directus/storage-driver-s3	AI (phantom-deps): Optional storage driver, dynamically loaded at runtime.	ai	2026/05/05
phantom-deps	phantom-dep:@directus/storage-driver-gcs	AI (phantom-deps): Optional storage driver, dynamically loaded at runtime.	ai	2026/05/05
phantom-deps	phantom-dep:@directus/storage-driver-azure	AI (phantom-deps): Optional storage driver, dynamically loaded at runtime.	ai	2026/05/05
phantom-deps	phantom-dep:@directus/storage-driver-supabase	AI (phantom-deps): Optional storage driver, dynamically loaded at runtime.	ai	2026/05/05
phantom-deps	phantom-dep:@directus/storage-driver-cloudinary	AI (phantom-deps): Optional storage driver, dynamically loaded at runtime.	ai	2026/05/05
typosquat	typosquat.levenshtein:ajv	AI (typosquat): @directus/api is the canonical Directus API package, not a typosquat of ajv.	ai	2026/05/05
typosquat	typosquat.levenshtein:joi	AI (typosquat): @directus/api is the canonical Directus API package, not a typosquat of joi.	ai	2026/05/05
typosquat	typosquat.levenshtein:pg	AI (typosquat): @directus/api is the canonical Directus API package, not a typosquat of pg.	ai	2026/05/05
typosquat	typosquat.levenshtein:hapi	AI (typosquat): @directus/api is the canonical Directus API package, not a typosquat of hapi.	ai	2026/05/05

Versions (showing 4 of 4)

Version	Deps	Published
35.1.0	132 / 41	2026-04-15
35.0.1	132 / 41	2026-03-30
34.0.0	128 / 42	2026-03-04
33.2.0	128 / 42	2026-02-12

v35.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v35.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v34.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v33.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.