@metriport/api-sdk
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:dotenv | AI (phantom-deps): dotenv is legitimately declared and used; phantom-dep rule is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): semver is legitimately declared and used; phantom-dep rule is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:validator | AI (phantom-deps): validator is legitimately declared and used; phantom-dep rule is a false positive for this package. | ai | |
| typosquat | typosquat.levenshtein:aws-sdk | AI (typosquat): @metriport/api-sdk is a scoped package from the established Metriport organization with 1000+ days history and 365 versions; the Levenshtein similarity to aws-sdk is coincidental and not a typosquat. | ai |
Versions (showing 28 of 28)
| Version | Deps | Published |
|---|---|---|
| 18.14.1 | 8 / 10 | |
| 18.14.0 | 8 / 10 | |
| 18.11.0 | 8 / 10 | |
| 18.10.1 | 8 / 10 | |
| 18.10.0 | 8 / 10 | |
| 18.9.0 | 8 / 10 | |
| 18.8.3 | 8 / 10 | |
| 18.8.2 | 8 / 10 | |
| 18.8.1 | 8 / 10 | |
| 18.6.0 | 8 / 10 | |
| 18.5.0 | 8 / 10 | |
| 18.4.0 | 8 / 10 | |
| 18.2.1 | 8 / 10 | |
| 18.2.0 | 8 / 10 | |
| 18.1.2 | 8 / 10 | |
| 18.1.1 | 8 / 10 | |
| 18.1.0 | 8 / 10 | |
| 18.0.11 | 8 / 10 | |
| 18.0.10 | 8 / 10 | |
| 18.0.9 | 8 / 10 | |
| 18.0.8 | 8 / 10 | |
| 18.0.7 | 8 / 10 | |
| 18.0.6 | 8 / 10 | |
| 18.0.5 | 7 / 10 | |
| 18.0.4 | 7 / 10 | |
| 18.0.3 | 7 / 10 | |
| 18.0.2 | 7 / 10 | |
| 18.0.1 | 7 / 10 |
v18.14.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v18.14.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (radmirgaripov) than the most recent previously approved version (jwar44) on 2026-06-06, but radmirgaripov is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v18.11.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (lucasdellabella-metriport) than the most recent previously approved version (ziqi-liu-dev) on 2026-05-23, but lucasdellabella-metriport is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v18.10.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jwar44) than the most recent previously approved version (lucasdellabella-metriport) on 2026-06-01, but jwar44 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v18.10.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ziqi-liu-dev) than the most recent previously approved version (rafaelleite) on 2026-05-11, but ziqi-liu-dev is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v18.9.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v18.8.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v18.8.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v18.8.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v18.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v18.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v18.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v18.2.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v18.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v18.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v18.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v18.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v18.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v18.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v18.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.