@rocket.chat/api-client
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Transition to rocketchat-buildmaster CI account is consistent with Rocket.Chat org automation; stable pattern going forward. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Rocket.Chat monorepo sub-package; missing metadata is a consistent pattern across their published packages, not a spam signal. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Consistent with Rocket.Chat monorepo publishing pattern; not indicative of malice. | ai | |
| phantom-deps | phantom-dep:filter-obj | AI (phantom-deps): filter-obj is a transitive dep of query-string; phantom-dep heuristic fires incorrectly here. | ai | |
| phantom-deps | phantom-dep:split-on-first | AI (phantom-deps): split-on-first is a transitive dep of query-string; phantom-dep heuristic fires incorrectly here. | ai | |
| phantom-deps | phantom-dep:strict-uri-encode | AI (phantom-deps): strict-uri-encode is a transitive dep of query-string; phantom-dep heuristic fires incorrectly here. | ai |
Versions (showing 36 of 36)
| Version | Deps | Published |
|---|---|---|
| 0.2.56 | 6 / 8 | |
| 0.2.55 | 6 / 8 | |
| 0.2.54 | 6 / 8 | |
| 0.2.53 | 6 / 8 | |
| 0.2.52 | 6 / 8 | |
| 0.2.51 | 6 / 8 | |
| 0.2.50 | 6 / 8 | |
| 0.2.49 | 6 / 8 | |
| 0.2.48 | 6 / 8 | |
| 0.2.47 | 6 / 8 | |
| 0.2.46 | 6 / 8 | |
| 0.2.45 | 6 / 8 | |
| 0.2.44 | 6 / 8 | |
| 0.2.43 | 6 / 8 | |
| 0.2.42 | 6 / 8 | |
| 0.2.41 | 6 / 8 | |
| 0.2.40 | 6 / 8 | |
| 0.2.39 | 6 / 8 | |
| 0.2.38 | 6 / 8 | |
| 0.2.37 | 6 / 8 | |
| 0.2.36 | 6 / 8 | |
| 0.2.35 | 6 / 8 | |
| 0.2.34 | 6 / 8 | |
| 0.2.33 | 6 / 8 | |
| 0.2.32 | 6 / 8 | |
| 0.2.31 | 6 / 8 | |
| 0.2.30 | 6 / 8 | |
| 0.2.29 | 6 / 8 | |
| 0.2.28 | 6 / 7 | |
| 0.2.27 | 6 / 7 | |
| 0.2.26 | 6 / 7 | |
| 0.2.25 | 6 / 7 | |
| 0.2.24 | 6 / 7 | |
| 0.2.23 | 6 / 7 | |
| 0.2.22 | 6 / 7 | |
| 0.2.21 | 6 / 7 |
v0.2.56
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.55
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.54
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.53
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.52
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.51
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.50
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.49
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.48
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.47
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.46
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.45
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.44
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.43
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.42
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.41
2 findingsThis version was published by a different npm account than previous versions on 2025-10-31. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.40
2 findingsThis version was published by a different npm account than previous versions on 2025-10-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.39
2 findingsThis version was published by a different npm account than previous versions on 2025-10-15. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.38
2 findingsThis version was published by a different npm account than previous versions on 2025-10-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.37
2 findingsThis version was published by a different npm account than previous versions on 2025-09-04. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.36
2 findingsThis version was published by a different npm account than previous versions on 2025-08-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.35
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.34
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.33
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.32
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.31
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.30
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.22
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.