@osdk/api
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:build/cjs/ObjectSet-CsJQ0rYb.d.cts | AI (source-diff): api-extractor-bundled TypeScript declaration file; long lines are normal for rolled-up .d.cts output, not obfuscation. | ai | |
| source-diff | obfuscated-file:build/cjs/ObjectSet-VVL7AQcF.d.cts | AI (source-diff): Bundled TypeScript declaration file with long lines from concatenated type definitions; not obfuscation. | ai | |
| source-diff | obfuscated-file:build/cjs/ObjectSet-UryvRSlB.d.cts | AI (source-diff): Bundled TypeScript declaration file from api-extractor; long lines are type rollups, not obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:build/cjs/ObjectSet-Cfm7EbMN.d.cts | AI (source-diff): Bundled TypeScript declaration file with long lines; content is readable type definitions, not obfuscated code. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Palantir OSDK package; empty description is stable across versions. | ai | |
| source-diff | obfuscated-file:build/cjs/ObjectSet-DhM3bFfJ.d.cts | AI (source-diff): Bundled TypeScript declaration file with long lines from type unions; not obfuscated code. Stable pattern for this package's build output. | ai | |
| source-diff | obfuscated-file:build/cjs/ObjectSet-BO3B__eI.d.cts | AI (source-diff): TypeScript declaration file with long lines from bundled type definitions; sample shows readable interface code, not obfuscation. | ai | |
| source-diff | obfuscated-file:build/cjs/ObjectSet-CADY0fcl.d.cts | AI (source-diff): Bundled TypeScript declaration file with long lines; sample shows clean interface definitions, not obfuscation. | ai | |
| source-diff | obfuscated-file:build/cjs/ObjectSet-CJm26Scn.d.cts | AI (source-diff): api-extractor-bundled .d.cts type declaration; long lines are normal for rolled-up type definitions, not obfuscation. | ai | |
| phantom-deps | phantom-dep:tiny-invariant | AI (phantom-deps): Likely used in bundled output; stable pattern for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@types/geojson | AI (phantom-deps): Type-only dependency; not directly imported at runtime by design. | ai | |
| phantom-deps | phantom-dep:fetch-retry | AI (phantom-deps): Likely used indirectly or via bundled output; stable pattern for this monorepo package. | ai | |
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): Scoped package @osdk/api from Palantir; Levenshtein match against 'ajv' is a false positive. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @osdk/api from Palantir; Levenshtein match against 'joi' is a false positive. | ai | |
| typosquat | typosquat.levenshtein:hapi | AI (typosquat): Scoped package @osdk/api from Palantir; Levenshtein match against 'hapi' is a false positive. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped package @osdk/api from Palantir; Levenshtein match against 'pg' is a false positive. | ai |
Versions (showing 52 of 52)
| Version | Deps | Published |
|---|---|---|
| 2.28.0 | 4 / 6 | |
| 2.27.0 | 4 / 6 | |
| 2.26.0 | 4 / 6 | |
| 2.25.0 | 4 / 6 | |
| 2.24.0 | 4 / 6 | |
| 2.22.0 | 4 / 6 | |
| 2.21.0 | 4 / 6 | |
| 2.20.0 | 4 / 6 | |
| 2.19.0 | 4 / 6 | |
| 2.18.0 | 4 / 6 | |
| 2.17.0 | 4 / 6 | |
| 2.16.0 | 4 / 6 | |
| 2.15.0 | 4 / 6 | |
| 2.14.0 | 4 / 6 | |
| 2.13.0 | 4 / 6 | |
| 2.12.0 | 4 / 6 | |
| 2.11.0 | 4 / 6 | |
| 2.10.0 | 4 / 6 | |
| 2.9.0 | 4 / 6 | |
| 2.8.0 | 4 / 6 | |
| 2.7.8 | 4 / 6 | |
| 2.7.7 | 4 / 6 | |
| 2.7.6 | 4 / 6 | |
| 2.7.5 | 4 / 6 | |
| 2.7.4 | 4 / 6 | |
| 2.7.3 | 4 / 6 | |
| 2.7.2 | 4 / 6 | |
| 2.7.1 | 4 / 6 | |
| 2.7.0 | 4 / 6 | |
| 2.6.3 | 4 / 6 | |
| 2.6.2 | 4 / 6 | |
| 2.6.1 | 4 / 6 | |
| 2.6.0 | 4 / 6 | |
| 2.5.7 | 4 / 6 | |
| 2.5.6 | 4 / 6 | |
| 2.5.5 | 4 / 6 | |
| 2.5.4 | 4 / 6 | |
| 2.5.3 | 4 / 6 | |
| 2.5.2 | 4 / 6 | |
| 2.5.1 | 4 / 6 | |
| 2.5.0 | 4 / 6 | |
| 2.4.2 | 4 / 6 | |
| 2.4.1 | 4 / 6 | |
| 2.4.0 | 4 / 6 | |
| 2.3.4 | 4 / 6 | |
| 2.3.3 | 4 / 6 | |
| 2.3.2 | 4 / 6 | |
| 2.3.1 | 4 / 6 | |
| 2.3.0 | 4 / 6 | |
| 2.2.1 | 4 / 6 | |
| 2.2.0 | 4 / 6 | |
| 2.1.5 | 4 / 6 |
v2.28.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.27.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.26.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.25.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.24.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.22.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.21.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.20.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.19.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.18.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.17.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.16.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.15.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.14.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.13.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.11.0
3 findingsThis version was published by a different npm account than previous versions on 2026-04-21. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.10.0
3 findingsThis version was published by a different npm account than previous versions on 2026-04-21. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.0
3 findingsThis version was published by a different npm account than previous versions on 2026-04-13. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.7
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.5
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.