@redocly/openapi-docs
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:lib/services/code-samples/httpsnippet/helpers/device-auth-snippets.js | AI (source-diff): Minified but fully readable OAuth2 device-flow code generation; no malicious patterns present. | ai | |
| source-diff | encoded-string-file:dist/redocly-openapi-docs.min.js | AI (source-diff): Minified bundle; encoded strings are normal build output for this package. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): Known implicit runtime dependency; stable for this package. | ai | |
| phantom-deps | phantom-dep:jstoxml | AI (phantom-deps): Config-referenced dependency; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:path-browserify | AI (phantom-deps): Config-referenced dependency; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:web-vitals | AI (phantom-deps): Declared dep; phantom-dep heuristic misfires on bundled output. | ai | |
| phantom-deps | phantom-dep:json-pointer | AI (phantom-deps): Declared dep; phantom-dep heuristic misfires on bundled output. | ai | |
| phantom-deps | phantom-dep:url-template | AI (phantom-deps): Declared dep; phantom-dep heuristic misfires on bundled output. | ai | |
| phantom-deps | phantom-dep:fast-deep-equal | AI (phantom-deps): Declared dep; phantom-dep heuristic misfires on bundled output. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): False positive on minified JSX bundle; no actual raw IP URL present in the sample. | ai | |
| phantom-deps | phantom-dep:swagger2openapi | AI (phantom-deps): Declared dep; phantom-dep heuristic misfires on bundled output. | ai | |
| phantom-deps | phantom-dep:stringify-object | AI (phantom-deps): Declared dep; phantom-dep heuristic misfires on bundled output. | ai | |
| phantom-deps | phantom-dep:@redocly/openapi-core | AI (phantom-deps): Same-org scoped package; phantom-dep heuristic misfires on bundled output. | ai | |
| phantom-deps | phantom-dep:fast-xml-parser | AI (phantom-deps): Declared dep; phantom-dep heuristic misfires on bundled output. | ai | |
| phantom-deps | phantom-dep:util | AI (phantom-deps): Declared dep used in config/build context; phantom-dep heuristic misfires on bundled output. | ai | |
| phantom-deps | phantom-dep:slugify | AI (phantom-deps): Declared dep; phantom-dep heuristic misfires on bundled output. | ai | |
| phantom-deps | phantom-dep:deepmerge | AI (phantom-deps): Declared dep; phantom-dep heuristic misfires on bundled output. | ai | |
| phantom-deps | phantom-dep:dompurify | AI (phantom-deps): Declared dep; phantom-dep heuristic misfires on bundled output. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 3.21.0 | 21 / 30 | |
| 3.20.1 | 21 / 30 | |
| 3.20.0 | 21 / 30 | |
| 3.12.3 | 18 / 35 | |
| 3.12.2 | 18 / 35 | |
| 3.12.1 | 18 / 35 | |
| 3.12.0 | 18 / 35 | |
| 3.11.0 | 18 / 35 | |
| 3.10.3 | 24 / 44 | |
| 3.10.2 | 24 / 44 | |
| 3.10.1 | 24 / 44 | |
| 3.10.0 | 24 / 44 | |
| 3.9.1 | 24 / 44 | |
| 3.9.0 | 24 / 44 |
v3.21.0
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.20.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.20.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.11.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.9.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.9.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.