@terascope/opensearch-client

A Node.js facade client for opensearch & elasticsearch.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

terascope-cigodberjsnoble1

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from terascope-ci to GitHub Actions is a CI migration; SLSA attestation confirms integrity.	ai	2026/05/20
provenance	missing-githead	AI (provenance): SLSA/Sigstore attestation present; gitHead absence is cosmetic given strong provenance signal.	ai	2026/05/19
dependencies	unvetted-dep:elasticsearch7	AI (dependencies): Official @elastic/elasticsearch aliased for multi-version support; stable pattern for this facade package.	ai	2026/05/08
dependencies	unvetted-dep:elasticsearch8	AI (dependencies): Official @elastic/elasticsearch aliased for multi-version support; stable pattern for this facade package.	ai	2026/05/08
dependencies	unvetted-dep:@terascope/core-utils	AI (dependencies): Sibling monorepo package from same org; expected dependency.	ai	2026/05/06
bogus-package	bogus-package	AI (bogus-package): Monorepo package; thin README and no keywords are typical for internal/utility packages in this org.	ai	2026/05/06
dependencies	unvetted-dep:@terascope/data-types	AI (dependencies): Sibling monorepo package from same org; expected dependency.	ai	2026/05/06
dependencies	unvetted-dep:opensearch1	AI (dependencies): Intentional npm alias for multi-version OpenSearch client support; stable pattern for this package.	ai	2026/05/06
dependencies	unvetted-dep:opensearch2	AI (dependencies): Intentional npm alias for multi-version OpenSearch client support; stable pattern for this package.	ai	2026/05/06
dependencies	unvetted-dep:opensearch3	AI (dependencies): Intentional npm alias for multi-version OpenSearch client support; stable pattern for this package.	ai	2026/05/06

Versions (showing 11 of 11)

Version	Deps	Published
2.7.0	7 / 1	2026-05-15
2.6.0	7 / 1	2026-04-30
2.5.2	7 / 1	2026-04-20
2.3.3	7 / 1	2026-03-27
2.2.3	7 / 1	2026-02-23
2.2.2	7 / 1	2026-02-19
2.2.1	7 / 0	2026-02-19
2.0.7	9 / 0	2026-02-02
2.0.5	9 / 0	2026-01-28
2.0.1	9 / 0	2026-01-23
2.0.0	9 / 0	2026-01-13

v2.7.0

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.5.2

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH Publisher changed: terascope-ci → GitHub Actions (on 2026-04-20) provenance

This version was published by a different npm account than previous versions on 2026-04-20. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.3.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.