@kubernetes/client-node
NodeJS client for kubernetes
4
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
brendandburnsmbohlool
Keywords
kubernetesclient
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:jsonpath | AI (dependencies): jsonpath is a well-known, legitimate JSON querying library with no malicious signals; stable dependency for this package. | ai | |
| phantom-deps | phantom-dep:@types/websocket | AI (phantom-deps): TypeScript @types packages are framework-scoped and loaded by convention; stable false positive for this TypeScript package. | ai | |
| phantom-deps | phantom-dep:@types/bluebird | AI (phantom-deps): TypeScript @types packages are framework-scoped and loaded by convention; stable false positive for this TypeScript package. | ai | |
| phantom-deps | phantom-dep:@types/mock-fs | AI (phantom-deps): TypeScript @types packages are framework-scoped and loaded by convention; stable false positive for this TypeScript package. | ai | |
| phantom-deps | phantom-dep:@types/base-64 | AI (phantom-deps): TypeScript @types packages are framework-scoped and loaded by convention; stable false positive for this TypeScript package. | ai | |
| phantom-deps | phantom-dep:bluebird | AI (phantom-deps): bluebird is a legitimate Promise library; declared as dependency for transitive use, not a security concern for this package. | ai | |
| dependencies | unvetted-dep:@types/mock-fs | AI (dependencies): TypeScript type definition package for mock-fs; no security risk, used for testing conventions in this TypeScript package. | ai | |
| dependencies | unvetted-dep:@types/base-64 | AI (dependencies): TypeScript type definition package; no security risk, framework-scoped usage is expected for this TypeScript package. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is explained by auto-generated API surface for the full Kubernetes API; consistent with the package's purpose and major version bump. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large file count is due to auto-generated Kubernetes API client code covering hundreds of resource types; expected for this package's major version release. | ai | |
| phantom-deps | phantom-dep:@types/underscore | AI (phantom-deps): TypeScript type definitions are conventionally loaded without direct imports; expected for TS projects. | ai | |
| phantom-deps | phantom-dep:@types/request | AI (phantom-deps): TypeScript type definitions; conventionally loaded without direct imports. | ai | |
| provenance | no-provenance | AI (provenance): Established package with 71 versions and 3050-day history; lack of Sigstore provenance is common and not a disqualifier here. | ai | |
| dependencies | unvetted-dep:request | AI (dependencies): request is a standard HTTP client library; its use in a Kubernetes client is expected and stable. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Official Kubernetes client; dormancy is normal for stable infra libraries. SLSA provenance confirms legitimate CI/CD publish. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): Deps are well-known packages (tar, tmp-promise, @types/*); replacing tar-fs with tar is a routine maintenance change. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a standard TypeScript runtime utility; implicit dependency is expected and stable for this package. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher changed from individual maintainer to GitHub Actions CI/CD, corroborated by SLSA provenance attestation. Standard automation migration. | ai | |
| phantom-deps | phantom-dep:@types/ws | AI (phantom-deps): TypeScript type definitions for ws; conventionally loaded without direct imports. | ai | |
| phantom-deps | phantom-dep:@types/tar | AI (phantom-deps): TypeScript type definitions; conventionally loaded without direct imports. | ai | |
| dependencies | unvetted-dep:stream-buffers | AI (dependencies): stream-buffers is a standard utility for stream handling; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:jsonpath-plus | AI (dependencies): jsonpath-plus is a standard JSON query library; appropriate for Kubernetes client operations. | ai | |
| dependencies | unvetted-dep:@types/stream-buffers | AI (dependencies): TypeScript type definitions package; no runtime security risk. | ai | |
| dependencies | unvetted-dep:socks-proxy-agent | AI (dependencies): socks-proxy-agent is a legitimate SOCKS proxy library; appropriate for a Kubernetes client needing proxy support. | ai | |
| dependencies | unvetted-dep:@types/node-fetch | AI (dependencies): TypeScript type definitions package; no runtime security risk. | ai | |
| phantom-deps | phantom-dep:@types/node-fetch | AI (phantom-deps): Framework-scoped TypeScript type package; phantom-dep finding is expected and benign for TypeScript libraries. | ai | |
| dependencies | unvetted-dep:hpagent | AI (dependencies): hpagent is a legitimate HTTP proxy agent library, appropriate for a Kubernetes client needing proxy support. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): Node.js type definitions; standard for all Node.js TypeScript projects. | ai | |
| phantom-deps | phantom-dep:@types/js-yaml | AI (phantom-deps): TypeScript type definitions; conventionally loaded without direct imports. | ai | |
| phantom-deps | phantom-dep:@types/stream-buffers | AI (phantom-deps): TypeScript type definitions; conventionally loaded without direct imports. | ai | |
| dependencies | unvetted-dep:openid-client | AI (dependencies): openid-client is a legitimate OIDC library; appropriate for Kubernetes OIDC authentication support. | ai | |
| dependencies | unvetted-dep:isomorphic-ws | AI (dependencies): isomorphic-ws is a standard WebSocket abstraction library, appropriate for a Kubernetes client needing exec/watch support. | ai | |
| dependencies | unvetted-dep:node-fetch | AI (dependencies): node-fetch is a widely-used HTTP client library; appropriate dependency for a Kubernetes client. | ai | |
| dependencies | unvetted-dep:rfc4648 | AI (dependencies): rfc4648 is a well-known base64/base32 encoding library with no security concerns. | ai | |
| phantom-deps | phantom-dep:ws | AI (phantom-deps): WebSocket library referenced in config files; standard for Kubernetes client communication. | ai | |
| dependencies | unvetted-dep:tar-fs | AI (dependencies): tar-fs is a well-known, widely-used npm package appropriate for a Kubernetes client that handles container image operations. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 0.22.2 | 10 / 26 | |
| 0.10.3 | 16 / 23 | |
| 0.7.0 | 17 / 13 | |
| 0.1.1 | 11 / 12 |
v0.22.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.3
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.