← Home

@draht/ai

npm Repository

Unified LLM API with automatic model discovery and provider configuration

12
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

execute008

Keywords

aillmopenaianthropicgeminibedrockunifiedapi

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance missing-githead AI (provenance): Likely a one-off publish environment change; no other risk signals present and no code/dep changes from prior approved version. ai
phantom-deps phantom-dep:@mistralai/mistralai AI (phantom-deps): Declared runtime dep used via config/indirect import; stable false positive for this package. ai
typosquat typosquat.levenshtein:qs AI (typosquat): @draht/ai is a scoped LLM SDK, not a typosquat of qs; Levenshtein match is coincidental. ai
typosquat typosquat.levenshtein:joi AI (typosquat): @draht/ai is a scoped LLM SDK, not a typosquat of joi; Levenshtein match is coincidental. ai
typosquat typosquat.levenshtein:ajv AI (typosquat): @draht/ai is a scoped LLM SDK, not a typosquat of ajv; Levenshtein match is coincidental. ai
typosquat typosquat.levenshtein:hapi AI (typosquat): @draht/ai is a scoped LLM SDK, not a typosquat of hapi; Levenshtein match is coincidental. ai
phantom-deps phantom-dep:undici AI (phantom-deps): undici is a declared runtime dep; known implicit/indirect usage pattern for HTTP clients. ai
phantom-deps phantom-dep:zod-to-json-schema AI (phantom-deps): zod-to-json-schema is a declared runtime dep; phantom-dep heuristic false positive for config-referenced deps. ai
phantom-deps phantom-dep:chalk AI (phantom-deps): chalk is a declared runtime dep used in CLI output; phantom-dep heuristic false positive. ai
typosquat typosquat.levenshtein:pg AI (typosquat): @draht/ai is a scoped LLM SDK, not a typosquat of pg; Levenshtein match is coincidental. ai

Versions (showing 12 of 12)

Version Deps Published
2026.5.12 14 / 3
2026.4.26 14 / 3
2026.4.25 14 / 3
2026.4.23 14 / 3
2026.4.5 14 / 3
2026.3.25 14 / 3
2026.3.14 14 / 3
2026.3.6 13 / 3
2026.3.5 13 / 3
2026.3.4 13 / 3
2026.3.3 13 / 3
2026.3.2 13 / 3

v2026.5.12

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: execute008.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2026.4.26

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2026.4.25

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2026.4.23

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2026.4.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2026.3.25

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: execute008.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2026.3.14

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2026.3.6

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: execute008.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2026.3.5

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: execute008.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2026.3.4

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: execute008.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2026.3.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2026.3.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.