← Home

@tryghost/admin-api

npm Repository Homepage

JavaScript Client Library for the Ghost [Admin API](https://ghost.org/docs/admin-api/)

7
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

zimoatghostallouiskernalghostchrisraibleerisdsjohnonolankevinansfieldcobbspuraileencgnjlohminimaluminiumsam-lordpauladamdavisbobvaneckjoeegrigghadretjonhickmanerik-ghostsagzyvershwalmike182uklsingernickmoretonrblstr-ghostevanhahn-ghostweylandswartghost-slimertmciescojonatan-ghost9larsons

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:hex-decode AI (semgrep): Decoding hex secret for JWT signing is the documented Ghost Admin API key format; not a malicious payload. ai

Versions (showing 7 of 7)

Version Deps Published
1.14.8 3 / 4
1.14.4 3 / 4
1.14.3 3 / 4
1.14.2 3 / 4
1.13.16 3 / 4
1.13.15 3 / 4
1.13.14 3 / 4

v1.14.4

2 findings
HIGH Publisher changed: vershwal → rblstr-ghost (on 2026-01-12) provenance

This version was published by a different npm account than previous versions on 2026-01-12. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.14.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.14.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.13.16

2 findings
HIGH Publisher changed: daniellockyer → erisds (on 2025-05-25) provenance

This version was published by a different npm account than previous versions on 2025-05-25. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.13.15

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.13.14

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.