← Home

@linear/sdk

npm Repository
33
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

jorilalloartmaneldhfinnigjatommoor

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/index-CzdTWJtl.d.cts AI (source-diff): Generated TypeScript declaration bundle with long export lines; not obfuscation. ai
source-diff obfuscated-file:dist/index-CG6Mbhlq.d.mts AI (source-diff): Generated TypeScript declaration bundle with long export lines; not obfuscation. ai
source-diff obfuscated-file:dist/index-BO_mmABq.d.cts AI (source-diff): Auto-generated TypeScript declaration file with long GraphQL type export lines; not obfuscated. ai
source-diff obfuscated-file:dist/index-Cm_DW0lx.d.mts AI (source-diff): Auto-generated TypeScript declaration file with long GraphQL type export lines; not obfuscated. ai
source-diff obfuscated-file:dist/index-CDkw74Cy.d.mts AI (source-diff): Bundler-generated TypeScript declaration file with long export lists; not obfuscated code. ai
source-diff obfuscated-file:dist/index-DEFHVmIs.d.cts AI (source-diff): Bundler-generated TypeScript declaration file with long export lists; not obfuscated code. ai
source-diff obfuscated-file:dist/index-BUUA3N-U.d.mts AI (source-diff): TypeScript declaration file (.d.mts) with long namespace export lines. Not executable; expected for large GraphQL SDK type bundles. ai
source-diff obfuscated-file:dist/index-D2OpN-qp.d.cts AI (source-diff): TypeScript declaration file with long lines due to large namespace export lists of GraphQL types. Not executable code; not obfuscation. Expected pattern for large GraphQL SDKs. ai
source-diff obfuscated-file:dist/index-ZingMK-8.d.mts AI (source-diff): TypeScript declaration bundle with long lines from large namespace exports — standard build artifact for a comprehensive GraphQL SDK, not obfuscation. ai
source-diff obfuscated-file:dist/index-WIxhBqz5.d.cts AI (source-diff): TypeScript declaration bundle with long lines from large namespace exports — standard build artifact for a comprehensive GraphQL SDK, not obfuscation. ai
source-diff obfuscated-file:dist/index-CKiXTjiH.d.cts AI (source-diff): TypeScript declaration file with long lines from bundled namespace exports — standard artifact of bundled .d.ts generation for large GraphQL SDKs, not obfuscation. ai
source-diff obfuscated-file:dist/index-CrGj3mb6.d.mts AI (source-diff): TypeScript declaration file with long lines from bundled namespace exports — standard artifact of bundled .d.ts generation for large GraphQL SDKs, not obfuscation. ai
source-diff obfuscated-file:dist/index-3NQ5jMUz.d.mts AI (source-diff): TypeScript declaration file (.d.mts) with long namespace export lines — bundler artifact for ESM types, not obfuscation. ai
source-diff obfuscated-file:dist/index-RGSHmGpe.d.cts AI (source-diff): TypeScript declaration file with long lines due to bundling hundreds of GraphQL types into a single namespace export — not executable code, not obfuscation. ai
source-diff obfuscated-file:dist/index-DtVBKYPy.d.mts AI (source-diff): TypeScript declaration file with long lines from bundled type exports — not obfuscation. Standard output for a large GraphQL SDK. ai
source-diff obfuscated-file:dist/index-eT4BK9yb.d.cts AI (source-diff): TypeScript declaration file with long lines from bundled type exports — not obfuscation. Standard output for a large GraphQL SDK. ai
source-diff obfuscated-file:dist/index-CArLFN-t.d.cts AI (source-diff): TypeScript declaration files for a large SDK legitimately contain very long lines due to namespace re-exports; not obfuscation. ai
source-diff obfuscated-file:dist/index-ClHDrkhS.d.mts AI (source-diff): TypeScript declaration files for a large SDK legitimately contain very long lines due to namespace re-exports; not obfuscation. ai
source-diff obfuscated-file:dist/index-CJwmoph1.d.cts AI (source-diff): TypeScript declaration file with long lines due to large namespace re-exports from a GraphQL SDK. Not obfuscated malicious code — standard bundler output for large type definitions. ai
source-diff obfuscated-file:dist/index-B5yFZcq7.d.mts AI (source-diff): TypeScript declaration file with long lines due to large namespace re-exports. Standard bundler output for large GraphQL SDK type definitions. ai
source-diff obfuscated-file:dist/index-DMxh237_.d.cts AI (source-diff): TypeScript declaration file with long lines from bundled namespace exports of GraphQL types — standard rolldown/rollup output for large SDKs, not obfuscation. ai
source-diff obfuscated-file:dist/index-CvYRfx0L.d.mts AI (source-diff): TypeScript declaration file with long namespace export lines — standard rolldown output for large GraphQL SDK, not obfuscation. ai
source-diff obfuscated-file:dist/index-oqX7k25Z.d.mts AI (source-diff): TypeScript declaration file with long lines caused by bundler concatenating exported type names — standard behavior for large SDK bundles, not obfuscation. ai
source-diff obfuscated-file:dist/index-lUg0pNgn.d.cts AI (source-diff): TypeScript declaration file with long lines caused by bundler concatenating exported type names — standard behavior for large SDK bundles, not obfuscation. ai
source-diff obfuscated-file:dist/index-BBxdiqQK.d.mts AI (source-diff): TypeScript declaration file with long lines is a bundler artifact (rolldown), not obfuscation. Content is clearly Linear API type exports. ai
source-diff obfuscated-file:dist/index-DPQVugF5.d.cts AI (source-diff): TypeScript declaration file with long lines is a bundler artifact (rolldown), not obfuscation. Content is clearly Linear API type exports. ai
source-diff obfuscated-file:dist/index-CExL-wAi.d.mts AI (source-diff): TypeScript declaration files for large GraphQL SDKs produce long single-line namespace exports; this is a known false positive for the line-length obfuscation heuristic. ai
source-diff obfuscated-file:dist/index-Bm4jA7_4.d.cts AI (source-diff): TypeScript declaration files for large GraphQL SDKs produce long single-line namespace exports; this is a known false positive for the line-length obfuscation heuristic. ai
source-diff obfuscated-file:dist/index-Bg44R1lb.d.mts AI (source-diff): Long lines in .d.mts files are caused by bundler-generated barrel exports for a large GraphQL SDK; content is clearly legitimate TypeScript type declarations, not obfuscation. ai
source-diff obfuscated-file:dist/index-BRQsFerc.d.cts AI (source-diff): Long lines in .d.cts files are caused by bundler-generated barrel exports for a large GraphQL SDK; content is clearly legitimate TypeScript type declarations, not obfuscation. ai
source-diff obfuscated-file:dist/index-CFvuCe7a.d.mts AI (source-diff): TypeScript declaration file (.d.mts) with long export namespace lines — normal rolldown bundler output for a large GraphQL SDK. ai
source-diff obfuscated-file:dist/index-DQEvPKMi.d.cts AI (source-diff): TypeScript declaration file with long export namespace lines — normal output for a large GraphQL SDK bundled with rolldown. No executable code. ai
source-diff obfuscated-file:dist/index-CmIsUdnE.d.cts AI (source-diff): TypeScript declaration file with long lines from large namespace exports of GraphQL types. No executable code; standard output for a large GraphQL SDK. ai
source-diff obfuscated-file:dist/index-CuNIJkIh.d.mts AI (source-diff): TypeScript declaration file with long namespace export lines. Standard output for a large GraphQL SDK; no executable code. ai
source-diff obfuscated-file:dist/index-THroZq4-.d.mts AI (source-diff): TypeScript declaration file with rolldown-generated namespace export lists. Standard SDK build artifact, no obfuscation. ai
source-diff obfuscated-file:dist/index-wEtH5Hmq.d.cts AI (source-diff): TypeScript declaration file with long lines from bundler (rolldown) namespace export lists. No executable code or obfuscation — standard SDK build artifact. ai
source-diff obfuscated-file:dist/index.mjs AI (source-diff): Minified ESM bundle from rolldown — content is clearly readable Linear SDK code. Long lines are expected for a 3.3MB bundled SDK. ai
source-diff obfuscated-file:dist/index.d.mts AI (source-diff): TypeScript declaration file with long re-export lines — standard bundled output for @linear/sdk, not obfuscation. ai
source-diff obfuscated-file:dist/index-CAP-XaGz.d.mts AI (source-diff): TypeScript declaration file with long export lines from rolldown bundler — standard build artifact for a large GraphQL SDK. ai
source-diff obfuscated-file:dist/index.d.cts AI (source-diff): TypeScript declaration file with long re-export lines — standard bundled output for @linear/sdk, not obfuscation. ai
source-diff obfuscated-file:dist/index-bbB9Ax4F.d.cts AI (source-diff): TypeScript declaration file with long export lines from rolldown bundler — standard build artifact for a large GraphQL SDK, not obfuscation. ai
provenance missing-githead AI (provenance): Package has SLSA provenance attestation via Sigstore, which is a stronger supply chain integrity signal than gitHead. Missing gitHead is likely a CI pipeline config change, not a malicious indicator. ai
maintainer-change maintainer-added AI (maintainer-change): Linear is an established company; maintainer additions are consistent with normal team growth, especially alongside a CI/CD publishing migration. ai
phantom-deps phantom-dep:@graphql-typed-document-node/core AI (phantom-deps): Declared but not directly imported; typical for GraphQL SDK packages that reference type-only deps in config. Stable false positive. ai
phantom-deps phantom-dep:isomorphic-unfetch AI (phantom-deps): Declared but not directly imported; likely used in build config or as a peer dep for this SDK package. Stable false positive. ai
provenance publisher-changed AI (provenance): Linear SDK migrated to GitHub Actions CI/CD publishing with SLSA provenance attestation — this is a legitimate and security-positive transition for this established package. ai

Versions (showing 33 of 33)

Version Deps Published
85.0.0 1 / 30
84.0.0 1 / 30
83.0.0 1 / 30
82.1.0 1 / 30
82.0.0 1 / 30
81.0.0 1 / 30
80.1.0 1 / 30
80.0.0 1 / 30
79.0.0 1 / 30
78.0.0 1 / 30
77.0.0 1 / 30
76.0.0 1 / 30
75.0.0 1 / 30
74.0.0 1 / 30
73.0.0 1 / 30
72.0.0 1 / 30
71.0.0 1 / 30
70.0.0 1 / 30
69.0.0 1 / 30
68.1.1 2 / 29
68.1.0 2 / 29
68.0.0 2 / 29
67.0.0 2 / 29
66.0.1 3 / 35
65.2.0 3 / 25
65.1.0 3 / 25
65.0.0 3 / 25
64.0.0 3 / 25
63.4.0 3 / 25
63.3.0 3 / 25
63.2.0 3 / 25
63.1.0 3 / 25
63.0.0 3 / 25

v85.0.0

3 findings
HIGH New obfuscated file: dist/index-CzdTWJtl.d.cts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index-CG6Mbhlq.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v84.0.0

3 findings
HIGH New obfuscated file: dist/index-BO_mmABq.d.cts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index-Cm_DW0lx.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v82.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v82.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v81.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v80.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v68.0.0

7 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH New obfuscated file: dist/index-bbB9Ax4F.d.cts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index.d.cts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index-CAP-XaGz.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v67.0.0

7 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH New obfuscated file: dist/index-D2OpN-qp.d.cts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index.d.cts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index-BUUA3N-U.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.