@openid/appauth
1
Versions
—
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
iainmcgintikurahulve7jtb
Keywords
OAuthAppAuthJavaScriptNode
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP is 127.0.0.1 used as localhost redirect URI in the example node app — not a malicious endpoint. | ai | |
| phantom-deps | phantom-dep:form-data | AI (phantom-deps): form-data is a declared runtime dep used by the HTTP client layer; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@types/jquery | AI (phantom-deps): Type-only package loaded by convention for browser builds; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/base64-js | AI (phantom-deps): Type declaration package for base64-js which is a direct dep; stable false positive. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 1.3.2 | 6 / 17 |
v1.3.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.